Hackers have found a way to disable some antivirus programs (opens in a new tab) programs on Windows devices, enabling them to deploy all kinds of malware on target devices.
AhnLab Security cybersecurity researchers observed two such attacks last year, where the attackers found two unpatched vulnerabilities in Sunlogin, a remote control software made by a Chinese company, and used them to implement an obfuscated PowerShell script that disables any security products that victims may have had installed.
The exploited vulnerabilities are tracked as CNVD-2022-10270 and CNVD-2022-03672. Both are remote code execution bugs discovered in Sunlogin version 18.104.22.168 and earlier.
Abuse of the anti-cheat driver
To exploit the vulnerabilities, the attackers used proofs of concept that had already been published. The deployed PowerShell script decodes the portable .NET executable, a modified open source program Mhyprot2DrvControl that uses vulnerable Windows drivers to obtain kernel-level privileges.
This particular tool uses mhyprot2.sys, an anti-cheat driver for Genshin Impact, an action role-playing game.
“With a simple bypassing process, malware can access the kernel area via mhyprot2.sys,” the researchers said.
“The developer of Mhyprot2DrvControl has provided many features that can be used with privileges escalated by mhyprot2.sys. Among them, the cybercriminal has used a feature that enables forced termination of processes to develop malware that shuts down many anti-malware products. “
Once the security processes are complete, attackers can install any malware. Sometimes they just opened reverse shells, and other times they installed Sliver, Gh0st RAT or XMRig cryptocurrency miner.
The method is known as BYOVD, or Bring Your Own Vulnerable Driver. Microsoft’s recommendation against these types of attacks is to enable the Vulnerable Driver Blocklist, thereby preventing the system from installing or running drivers that are known to be vulnerable.
By: Beeping Computer (opens in a new tab)