Hackers have found a way to disable some virus removal (opens in a new tab) programs on Windows devices, allowing them to deploy all types of malware on the target device.
Cybersecurity researchers AhnLab Security observed two such attacks last year, in which attackers found two unpatched vulnerabilities in Sunlogin, a remote control software run by a company. Chinese companies build and use them to deploy obfuscated PowerShell scripts that disable any security products a victim may have installed.
The monitored vulnerabilities are CNVD-2022-10270 and CNVD-2022-03672. Both are remote code execution bugs found in Sunlogin v11.0.0.33 and earlier.
Anti-cheat driver abuse
To abuse the vulnerabilities, the attackers used the released proof of concept. A PowerShell script is being deployed that decrypts a portable .NET executable – a tweaked open source Mhyprot2DrvControl program that leverages vulnerable Windows drivers to gain kernel-level privileges .
This particular tool abuses the file mhyprot2.sys, the anti-cheat driver for Genshin Impact, an action role-playing game.
“Through a simple bypass process, malware was able to gain access to the kernel sector via mhyprot2.sys,” the researchers said.
“The developer of Mhyprot2DrvControl has provided many features that can be used with upgraded privileges through mhyprot2.sys. Among these, the threat actor used a feature that allows forcibly terminate processes to develop malware that shuts down many anti-malware products.”
After finishing the security procedures, the attackers are free to install any malware they want. Sometimes they just open reverse shells and other times they install the Sliver, Gh0st RAT or XMRig crypto miner.
This method is called BYOVD, or Bring Your Own Vulnerable Driver. Microsoft’s recommendation against these types of attacks is to enable the vulnerable driver block list, thus preventing the system from installing or running drivers known to be vulnerable.
Through: BleepingComputer (opens in a new tab)
