Genshin Impact has had various updates throughout its life time, adding new characters, story extensions, and other features to the title. Today’s report, though, has a far more negative connotation as it relates to the game’s anti-cheat functionality– subsequently, it also talks about how this feature is getting abused.
When it comes to anti-cheat systems, you may have heard of popular ones such as EasyAntiCheat and BattlEye. Genshin Impact has an entirely unique anti-cheat file known as mhyprot2.sys, which miHoYo initially added to the game to prevent cheating. Towards the end of July 2022, in a report from TrendMicro, some security teams realized that the game would have far more significant issues involving that same file.
That said, the anti-cheat for Genshin works as a device driver and has kernel-level authorization within your computer. As luck would have it, this file would be abused to bypass various safeguards, ultimately killing endpoint protection processes. This gets deeper, too; due to how easy it is to come across the driver’s bypassing versatility, among other issues, organizations should be very careful with their systems and check if this file is within their system.
Next, the infected version of this anti-cheat would come alongside a kill.svc file, which installs the service and runs a fake AVG antivirus, dumping various files as ransomware. This ransomware would also shut down various other antivirus compounds that would ordinarily protect users (shown from a proof-of-concept provided by a user to TrendMicro, which shut down 360 Total Security).
The ransomware payload also starts to encrypt files and make them unusable, and can also be deployed to other computers via a PsExec process. What’s potentially more dangerous about this is that, theoretically, if this ransomware finds its way into an office building with its own domain, no computer in that building would be safe if the files were in that domain.
Now, this has been an ongoing issue that has plagued Hoyoverse's game for a while. As seen before, mhyprot2.sys has been used to distribute DLLs before. It doesn’t seem like Hoyoverse either cares or knows how to fix this, given that it was reported to them, but it was not acknowledged as a vulnerability.
Of course, this also means that a fix for this issue wasn’t provided. Though, it should be noted that going forward, if you are still using Genshin Impact, be very careful about the files you download, and be sure to check your computer’s event logs for service installations. Either that or play the game through GeForce NOW, I guess. We’ll continue to update as more information’s released on the Genshin Impact ransomware situation.