This Windows security attack can take down your antivirus
After disabling your antivirus, attackers are installing miners and infostealers
Hackers have found a way to disable certain antivirus programs on Windows devices, allowing them to deploy all sorts of malware on the target devices.
Cybersecurity researchers AhnLab Security observed two such attacks last year, where the attackers found two unpatched vulnerabilities in Sunlogin, a remote-control software built by a Chinese company, and used them to deploy an obfuscated PowerShell script that disables any security products the victims might have installed.
The vulnerabilities being abused are tracked as CNVD-2022-10270 and CNVD-2022-03672. Both are remote code execution flaws found in Sunlogin v11.0.0.33 and earlier.
Abusing an anti-cheat driver
To abuse the flaws, the attackers used proofs-of-concept that were already released. The PowerShell script being deployed decodes a .NET portable executable - a tweaked Mhyprot2DrvControl open-source program that leverages vulnerable Windows drivers to gain privileges at kernel level.
This specific tool abuses mhyprot2.sys file, an anti-cheat driver for Genshin Impact, an action role-playing game.
"Through a simple bypassing process, the malware can access the kernel area through mhyprot2.sys," the researchers said.
"The developer of Mhyprot2DrvControl provided multiple features that can be utilized with the privileges escalated through mhyprot2.sys. Among these, the threat actor used the feature which allows the force termination of processes to develop a malware that shuts down multiple anti-malware products."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After terminating security processes, the attackers are free to install whatever malware they please. Sometimes they would just open reverse shells, and other times they’d install Sliver, Gh0st RAT, or the XMRig cryptocurrency miner.
The method is known as BYOVD, or Bring Your Own Vulnerable Driver. Microsoft’s recommendation against these types of attacks is to enable the vulnerable driver blocklist, thus preventing the system from installing or running drivers that are known to be vulnerable.
- These are the best firewalls around
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.