Hackers have found a way to disable certain antivirus (opens in new tab) programs on Windows devices, allowing them to deploy all sorts of malware on the target devices.
Cybersecurity researchers AhnLab Security observed two such attacks last year, where the attackers found two unpatched vulnerabilities in Sunlogin, a remote-control software built by a Chinese company, and used them to deploy an obfuscated PowerShell script that disables any security products the victims might have installed.
The vulnerabilities being abused are tracked as CNVD-2022-10270 and CNVD-2022-03672. Both are remote code execution flaws found in Sunlogin v220.127.116.11 and earlier.
Abusing an anti-cheat driver
To abuse the flaws, the attackers used proofs-of-concept that were already released. The PowerShell script being deployed decodes a .NET portable executable – a tweaked Mhyprot2DrvControl open-source program that leverages vulnerable Windows drivers to gain privileges at kernel level.
This specific tool abuses mhyprot2.sys file, an anti-cheat driver for Genshin Impact, an action role-playing game.
“Through a simple bypassing process, the malware can access the kernel area through mhyprot2.sys,” the researchers said.
“The developer of Mhyprot2DrvControl provided multiple features that can be utilized with the privileges escalated through mhyprot2.sys. Among these, the threat actor used the feature which allows the force termination of processes to develop a malware that shuts down multiple anti-malware products.”
After terminating security processes, the attackers are free to install whatever malware they please. Sometimes they would just open reverse shells, and other times they’d install Sliver, Gh0st RAT, or the XMRig cryptocurrency miner.
The method is known as BYOVD, or Bring Your Own Vulnerable Driver. Microsoft’s recommendation against these types of attacks is to enable the vulnerable driver blocklist, thus preventing the system from installing or running drivers that are known to be vulnerable.
Via: BleepingComputer (opens in new tab)