Hackers use anti-cheat in ‘Genshin Impact’ to ransom victims

by Arthur · December 11, 2022

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.

A ransom gang allegedly hacks victims by abusing the anti-cheat system of the hugely popular free-to-play game Genshin effect.

Cyber security firm Trend Micro published a report on Wednesday detailing the attack, which highlights how anti-cheat systems, which are installed by default as part of many online games, can be misused to hack players. The unnamed hackers take advantage of that fact Genshin Impact’s the anti-cheat system has known vulnerabilities, that it is signed by a legitimate company – meaning Windows will run it – and because it has elevated privileges, meaning it has access to sensitive parts of the operating system.

“I’ve been waiting to see ransomware abuse an anti-cheat driver for a while. We’ve seen cheaters abuse anti-cheat drivers for years,” an employee at a gaming company, who asked to remain anonymous because they were not authorized to speak to the press, told Motherboard. “It was only a matter of time before a ransomware group took notice and began collaborating on openly shared exploits.”

The hackers’ goal is to “mass distribute ransomware,” according to Trend Micro. Genshin effect was released in 2020 by the Chinese developer HoYoverse (miHoYo in China) and has millions of players logging into the gaming world via mobile devices, consoles or on PC.

From Trend Micro’s report, it is unclear how the hackers gain the first foothold in a targeted computer. But once inside, the hackers take advantage Genshin effectits anti-cheat system to access the computer’s kernel, a core part of the operating system that controls and has access to most of the computer’s functions. At that point, the hackers have the ability to turn off antivirus and install ransomware on victims’ computers.

In other words, they abuse the anti-cheat system as a way to access more sensitive parts of the operating system and avoid being caught by an antivirus before distributing the ransomware.

Trend Micro researchers note that the game “doesn’t need to be installed on a victim’s device for this to work”, meaning that hackers can only install the anti-cheat system as a preliminary step and then distribute the ransomware.

Do you have information about these attacks? Or other ransomware incidents? We would love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

Genshin Impact’s anti-cheat system is called mhyprot2. For years, security researchers have warned about the flaws of anti-cheating. In 2020, a researcher showed that the system could be abused to read the computer’s memory and processes. Then last July, a researcher who goes by Kento Oki published a proof-of-concept that turned the anti-cheat system into malicious software that could gain access to the kernel.

These concerns have also been discussed publicly outside security circles. The website Pro Game Guides reported after the game’s launch that users were concerned about the anti-cheat system because it had kernel-level privileges and ran in the background even when the game was closed, going so far as to wonder if it was spyware. The company responded to these concerns by updating the anti-cheat system so that it would turn off when users were not playing the game.

In other words, HoYoverse, the company that develops Genshin Impact, has known that this version of the game’s anti-cheat system is vulnerable and exploitable for a couple of years.

“We are currently working on this matter and will find a solution as soon as possible to ensure player safety and stop potential abuse of the anti-cheat feature,” a HoYoverse spokesperson told Motherboard in an email.

Despite long-standing concerns, the vulnerable anti-cheat system continues to be installed on players’ computers and has not been updated. And according to Trend Micro researchers, “there are no workarounds at this time” because the anti-cheat system is a legitimate program signed by a real company and is therefore not flagged by antivirus or Windows.

There are other anti-cheat systems that run in the kernel, giving them access and insight into what is running on the operating system with the goal of detecting cheats. The first to attract attention and prompt some to question whether it was going too far was Vanguard, the anti-cheat system for Riot Games’ online first-person shooter Valorant. Activision followed with RICOCHET, a core anti-cheat system for its uber popular Duty calls game.

When creating anti-cheat systems like these, developers need to be aware that the system could be turned against users if there are vulnerabilities, according to Paul Chamberlain, who was Riot’s anti-cheat head when the company developed Vanguard.

“That was one of the main concerns we had when we created Vanguard at Riot, we put a lot of resources into security audits to try to make sure something like this couldn’t happen,” Chamberlain told Motherboard.

Misusing drivers and other programs to push ransomware is a proven tactic for cybercriminals, according to Allan Liska, a researcher at cybersecurity firm RecordedFuture who focuses on ransomware.

“Signed drivers are usually going to slip past endpoint detection systems [such as antivirus] unnoticed, he said.

UPDATE, Friday 26 Aug. 10:31 a.m. ET: This story was updated to include comment from a HoYoverse spokesperson.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.