Genshin Impact Ransomware Infection: Adversaries Abuse the Anti-Cheat Driver

Genshin Impact's Anti-Cheat Software

Genshin Impact, a popular open-world action RPG, is leveraged to spread ransomware. Threat actors abuse mhyprot2.sys, a vulnerable anti-cheat driver, to terminate antivirus processes and services to drop ransomware. Using the legitimate driver as a rootkit, the adversaries seek to first drop the ransomware on the target machine with a view to subsequent spread of the infection to other workstations.

Detect Ransomware Exploits

To identify behaviors associated with the abuse of the vulnerable Genshin Impact’s mhyprot2.sys driver, utilize the following threat detection content released by seasoned Threat Bounty contributors Kaan Yeniyol and Aykut Gürses:

Detection of Genshin Impact Anti-Cheat Driver in Ransomware Activity

The Sigma-based rules are referenced to the MITRE ATT&CK® framework v.10, and can be applied across 26 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform. 

The Threat Detection Marketplace hosts over 130,000 vetted detection content pieces, including detections, alerts, hunting queries, and playbooks. About 140 new detections are added each month. Click the Detect & Hunt button to reach the dedicated high-quality detection content to identify possible ransomware exploits. For insightful contextual information, click the Explore Threat Context button, and drill down to the list of relevant Sigma rules accompanied by comprehensive metadata — no registration required.

Detect & Hunt Explore Threat Context

The Incident Analysis

The disclosure from Trend Micro’s researchers details a recent abuse of the role-playing game Genshin Impact by ransomware actors. According to the research data, threat actors leverage a vulnerable code-signed driver responsible for anti-cheat functions for the game. By abusing mhyprot2.sys, a driver within the game’s anti-cheat system, ransomware actors can circumvent the system privileges and terminate the endpoint protection processes by executing commands from kernel mode.

It was also revealed that this vulnerability has been around for about two years now and still remains unfixed.

In July, we introduced some significant improvements to SOC Prime’s Threat Bounty Program. Learn more about the cyber world’s most prolific detection content developers’ program and secure your place among industry leaders with SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts