Security advocates and skeptics have been concerned that exploits that take advantage of anticheat kernel mode drivers could cause serious damage to PC security. It seems that it has happened. A ransomware actor used the anti-cheat driver of Genshin Impact, a popular free-to-play RPG, to block antivirus processes and allow the mass deployment of their ransomware.
Trend Micro published a whitepaper on August 24th explaining how the legitimate driver mhyprot2.sys was used to gain root access, omitting any other parts of Genshin Impact.
Ryan Soliven, Hitomi Kimura, and Hitomi Kimura wrote that “Mhyprot2.sys” could be integrated into malware.
Kernel mode drivers are the heart of your computer’s systems. Although this may seem a gross oversimplification of the situation, kernel-mode drivers generally have more control than you do over your computer’s system. Genshin Impact’s anticheat was once under scrutiny because it continued to run at the kernel level even after you shut down the game. Later, developer HoYoVerse (then known as MiHoYo) changed this.
This paper clearly shows that the whole Windows operating system is at risk. The driver module can’t be deleted once distributed and isn’t inherently malicious. It is simply an abusive piece of otherwise-legitimate code.
The paper says that the module is easy to access and will remain available until its destruction. It could be used to bypass privileges for a long period. Although antivirus detection and certificate revocation might help prevent abuse, there are currently no solutions because this module is legitimate.
This is not the first time kernel-level anti-cheat has become a security issue for the games industry. In May 2020, Riot Games’ Valorant released kernel mode anti-cheat software. Doom Eternal also released kernel mode anti-cheat software. Riot pointed out that many kernel-level anti-cheat software was available, but not as much as Riot’s Vanguard software. It starts when Windows boots up.
However, kernel-level anti-cheat technology can be very effective and is worth the risk for gamers tired of dealing with cheaters. Call of Duty players wasn’t happy enough with cheaters by the end of last season, so Activision Blizzard had access to all of their memory.
Regardless of its history or widespread usage, this kind of abuse is exactly what those who warned of the spreading of kernel-mode anti-cheat were warning about. What could happen if a vulnerability is discovered? This could make it more dangerous than normal anti-cheat software. MiHoYo has been contacted for comment. I will update this post if they respond.