Researchers analyze mhyprot2.sys, a vulnerable Genshin Impact anti-cheat driver, showing how a ransomware actor weaponizes it to bypass privileges and terminate antivirus processes. The case highlights how legitimate drivers can be abused for privilege escalation and mass deployment, with PoCs and detailed sequencing defenders should monitor. #mhyprot2.sys #GenshinImpact #kill_svc #avg.msi #Impacket #RDP
Keypoints
- The code-signed mhyprot2.sys anti-cheat driver is abused to bypass privileges and kill antivirus services, enabling ransomware deployment.
- Initial access and lateral movement leveraged Impacket tools such as secretsdump and wmiexec to dump credentials and run commands remotely.
- The attacker connected to the domain controller via RDP using compromised administrator credentials to pivot.
- The ransomware chain included dropping kill_svc.exe and mhyprot2.sys on the desktop, with mhyprot2.sys installed as a service to terminate security processes.
- avg.msi on the NETLOGON share masqueraded as AVG Internet Security and dropped components (logon.bat, HelpPane.exe) to install mhyprot2.sys and kill antivirus services.
- Mass deployment was pursued through startup/logon scripts and PsExec, with a batch file (b.bat) listing target workstations for propagation.
- The mhyprot2.sys driver and related tools enable kernel-mode actions via DeviceIoControl codes (0x81034000) to terminate processes.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – The threat actor used the code-signed mhyprot2.sys driver to bypass privileges and kill antivirus processes. “The driver is loaded … to terminate the processes in the list.”
- [T1562.001] Impair Defenses – Kill antivirus and security services during the infection sequence. “kill antivirus services.”
- [T1047] Windows Management Instrumentation – wmiexec was used to run discovery commands in the context of the domain admin account. “discovery commands using wmiexec …
- [T1003] Credential Dumping – Secretsdump dumps secrets from the remote machine without executing any agent there. “secretsdump — which dumps secrets from the remote machine without executing any agent there.”
- [T1021.001] Remote Desktop – The actor connected to the domain controller via RDP with another compromised administrator account. “connected to the domain controller via RDP using another compromised administrator account.”
- [T1021.002] Remote Services – PsExec was used to deploy components to other workstations with domain admin credentials. “deployed via PsExec using the credentials of the built-in domain administrator account.”
- [T1036] Masquerading – avg.msi masquerades as AVG Internet Security; HelpPane.exe masquerades as Microsoft Help and Support executable. “avg.msi … masquerading as AVG Internet Security” / “HelpPane.exe … masquerading as Microsoft Help and Support executable”
- [T1543.003] Windows Service – mhyprot2.sys is installed as a service (mhyprot2) to enable its privileged actions. “mhyprot2.sys … installed … as a service”
Indicators of Compromise
- [File hash] context – 0466e90bf0e83b776ca8716e01d35a8a2e5f96d3
- [File name] context – mhyprot2.sys, kill_svc.exe, avg.msi, avg.exe, logon.bat, svchost.exe