Hackers have found a way to disable some antivirus software on Windows machines, allowing them to spread all kinds of malware on target machines.
Cybersecurity researchers AhnLab Security noted two such attacks last year, in which attackers found two unparalleled vulnerabilities in Sunlogin, a remote control software made by a Chinese company, and used them to deploy a blunt PowerShell that disables any security products victims might have. installed.
Misused vulnerabilities such as CNVD-2022-10270 and CNVD-2022-03672 are tracked. Both are remote code execution flaws found in Sunlogin version 188.8.131.52 and earlier.
Abuse of an anti-fraud driver
To abuse the flaws, the attackers used proofs of concept that had already been released. The deployed PowerShell script decompiles a portable .NET executable – a modified open source Mhyprot2DrvControl that takes advantage of vulnerable Windows drivers to gain kernel-level privileges.
This specific tool abuses the mhyprot2.sys file, which is an anti-cheat driver for Genshin Impact, a role-playing game.
“With a simple bypass, the malware can gain access to the kernel region through mhyprot2.sys,” the researchers said.
> The same Microsoft mistake may have left users at risk of malware attacks
> Installing game drivers can make your computer vulnerable to cyberattacks
> Here’s our take on the best endpoint protection right now
“The developer of Mhyprot2DrvControl introduced multiple features that can be used with privilege escalation through mhyprot2.sys. Among them, the threat actor used the feature that allows for force termination of processes to develop a malware that shuts down several anti-malware products.”
After the security processes are terminated, attackers are free to install any malware they wish. Sometimes they just open the reverse shells, other times they install Sliver, Gh0st RAT, or XMRig cryptocurrency miner.
The method is known as BYOVD, or Bring Your Own Vulnerable Driver. Against these types of attacks, Microsoft recommends enabling the Vulnerable Drivers Block List, thus preventing the system from installing or running drivers known to be vulnerable.
- These are the best firewalls out there