Skeptics and security advocates have been concerned for some time now that exploits capable of taking advantage of kernel-mode anti-cheat drivers could wreak serious havoc on PC security. Now, it seems to have happened: the anti-cheat driver used by Genshin Impact, the popular free-to-play RPG, has been abused by a ransomware actor to shut down antivirus processes and allow their ransomware to be massively deployed.
A new white paper published on August 24 for Trend Micro (opens in a new tab) explains how the perfectly legitimate mhyprot2.sys driver was used, in the absence of any other part of Genshin Impact, to gain root access to a system.
“Security teams and defenders should note that mhyprot2.sys can be bundled with any malware,” wrote authors Ryan Soliven and Hitomi Kimura.
“Genshin Impact does not need to be installed on the victim’s device for this to work; use of this driver is game independent.”
Kernel-mode drivers are at the very heart of your computer’s system. At the risk of oversimplifying, kernel-level software usually has more control over your PC than you do. Genshin Impact’s anti-cheat was previously under watch to continue working – at the core level – even after closing the game. Developer HoYoVerse, then known as MiHoYo, later changed this. (opens in a new tab)
The document clearly states that this is a serious security breach of the entire Windows operating environment. He notes that the driver module “cannot be deleted once distributed” and is not inherently malicious, merely otherwise legitimate abuse software.
“This module is very easy to obtain and will be available to everyone until it is erased from existence,” the newspaper said. “It might remain a useful utility for bypassing privileges for a long time. Certificate revocation and antivirus detection might help discourage abuse, but there are no workarounds at this time as it’s a legitimate module.”
This isn’t the first time that kernel-level anti-cheating has been a security issue for the gaming industry. A double whammy in May 2020 when Riot Games’ Valorant (opens in a new tab) and Eternal Doom (opens in a new tab) released with kernel mode anti-cheat. At the time, Riot noted that many other kernel-level anti-cheat software already existed, but not to the extent of Riot’s Vanguard software, which begins at Windows startup.
But the core-level anti-cheat technology is generally effective, and for some players who are tired of dealing with cheaters, it makes the risk worthwhile. Late last year, for example, Call of Duty players were sufficiently unhappy with cheats that some welcomed. (opens in a new tab) Activision Blizzard having access to every bit of memory across its entire PC.
Regardless of the history and now widespread usage, this kind of abuse is exactly what those who feared the spread of kernel-mode anti-cheat were warning about. If a vulnerability has been found, the following could be much worse than normal user-level anti-cheat software vulnerabilities. I have reached out to MiHoYo to comment on the report and will update it if I receive a response.