This Windows security attack can take down your antivirus
>
Hackers have found a way to disable certain antivirus programs (opens in new tab) programs on Windows devices, allowing them to deploy all kinds of malware on the target devices.
Cybersecurity researchers AhnLab Security observed two such attacks last year, where the attackers found two unpatched vulnerabilities in Sunlogin, remote control software built by a Chinese company, and used them to deploy an obfuscated PowerShell script that disables the victims’ security products. installed.
The exploited vulnerabilities are tracked as CNVD-2022-10270 and CNVD-2022-03672. Both are remote code execution errors found in Sunlogin v11.0.0.33 and earlier.
Taking advantage of an anti-cheat driver
To exploit the flaws, the attackers used proof-of-concept that had already been released. The PowerShell script being deployed decodes a portable .NET executable – a tweaked Mhyprot2DrvControl open-source program that uses vulnerable Windows drivers to gain kernel-level privileges.
This particular tool exploits the mhyprot2.sys file, an anti-cheat driver for Genshin Impact, an action role-playing game.
“A simple bypass process allows the malware to access the kernel area via mhyprot2.sys,” the researchers said.
“The developer of Mhyprot2DrvControl has provided multiple features that can be used with the privileges escalated via mhyprot2.sys. Of these, the threat actor used the force-kill feature to develop malware that shuts down multiple anti-malware products.”
After the security processes are terminated, the attackers are free to install any malware they want. Sometimes they just opened reverse shells, and other times they installed Sliver, Gh0st RAT or the XMRig cryptocurrency miner.
The method is known as BYOVD, or Bring Your Own Vulnerable Driver. Microsoft’s recommendation against this type of attack is to enable the Vulnerable Driver Blocklist, which prevents the system from installing or running drivers that are known to be vulnerable.
Through: Beeping computer (opens in new tab)