Weaponizing game code to attack a company

An unusual case of an attack executed by weaponizing legit video game code.

Released on PC and consoles in September 2020, the action-adventure video game Genshin Impact was created by miHoYo Limited of China. The Windows version comes with a module combating gaming cheats, which incorporates a driver named mhyprot2.sys. It provides the game’s defense mechanism with broad system privileges, and has a digital signature to prove its rights. The game needs this for detecting and blocking tools that help circumvent built-in restrictions. Unexpectedly, hackers have found another use for the driver.

In August 2022, Trend Micro released a report about an unusual attack on corporate infrastructure. The attack used this particular driver mhyprot2.sys. In a nutshell, a hacker group figured out that it could use virtually unlimited system privileges afforded by the driver and the associated legitimate digital certificate as tools for a targeted attack. And you don’t even need to install the game itself to become a victim.

Working around protection

The report details an attack on an unnamed victim, while omitting the initial method the hackers used to penetrate the given corporate infrastructure. All we know is that they used a compromised administrator account to access the domain controller via RDP. In addition to stealing data from the controller, the hackers placed there a shared folder with a malicious installer which they disguised as an antivirus. The attackers used group policies to install the file on one of the workstations — and this was probably a rehearsal for a mass infection of computers in the organization.

However, the attempt to install the malware on the workstation failed: the module that was supposed to encrypt data — clearly expected to be followed up by ransom demand — failed to run, and the attackers had to start it manually later. They did succeed in installing the perfectly legal driver mhyprot2.sys from Genshin Impact, though. Another utility they deployed in the system gathered data on processes that could interfere with the installation of the malicious code.

List of processes force-stopped by the game driver.

List of processes force-stopped by the game driver. Source.

All of the processes on the list, including security solutions active on the computer, were halted by the mhyprot2.sys driver one by one. Once the system was stripped of its defenses, the actual malware tool started up, encrypting files and leaving a ransom note.

Not a typical hack

The case is interesting since it demonstrates the exploitation of what is essentially legitimate software distributed as part of a fairly popular computer game. Trend Micro discovered that the mhyprot2.sys driver used in the attack was signed in August 2020 — shortly before the game’s initial release. Cybercriminals tend to use stolen private certificates for signing malicious programs or exploiting vulnerabilities in legitimate software. In this case, however, the hackers utilized the driver’s regular features, i.e., full access to the RAM and the ability to halt any processes in the system. Such legitimate programs pose an added risk for the corporate infrastructure administrator since they can easily be overlooked by monitoring tools.

It took users of Genshin Impact a little time to notice the somewhat unusual behavior of mhyprot2.sys. For instance, the module remained in the system even after the game was uninstalled, meaning all PC users of the game, both present and past, are somewhat vulnerable and their computers are easier to attack. Interestingly enough, discussions on cheater message boards about how the driver could be exploited to combat anti-cheat systems, also by taking advantage of the module’s broad capabilities and the digital signature, date back to October 2020.

This should serve as a reminder for developers of software with elevated privileges to use their system rights with caution; otherwise, their code may be used for cyberattacks instead of protection from hackers. Genshin Impact’s developers were informed about the potential issues associated with the driver last summer, but they did not deem the module’s dangerous behavior a problem. For one thing, the digital signature was still in place at the end of August, 2022.

Recommendations for companies

You can reduce the risk of a successful attack using the above scenario both by including the potentially dangerous driver on your monitoring list, and by using security measures with broad self-defense capabilities. Don’t forget that the hackers initially gained access to the domain controller. So that situation was already dangerous: they could use less inventive tricks to keep spreading malware across the corporate network.

Typically, detection of games installed on employee computers is only considered important from a productivity perspective. The Genshin Impact anti-cheat incident is a reminder that “unnecessary” programs can be not only a distraction but also an extra security risk. They add to potentially vulnerable software, and in some cases bring openly dangerous code inside the security perimeter.