This Windows security attack can take down your antivirus By Mobile Malls February 7, 2023 0 306 views Hackers have discovered a solution to disable sure antivirus (opens in new tab) packages on Home windows units, permitting them to deploy all types of malware on the goal units.Cybersecurity researchers AhnLab Safety noticed two such assaults final yr, the place the attackers discovered two unpatched vulnerabilities in Sunlogin, a remote-control software program constructed by a Chinese language firm, and used them to deploy an obfuscated PowerShell script that disables any safety merchandise the victims may need put in. The vulnerabilities being abused are tracked as CNVD-2022-10270 and CNVD-2022-03672. Each are distant code execution flaws present in Sunlogin v11.0.0.33 and earlier.Abusing an anti-cheat driverTo abuse the issues, the attackers used proofs-of-concept that have been already launched. The PowerShell script being deployed decodes a .NET moveable executable – a tweaked Mhyprot2DrvControl open-source program that leverages susceptible Home windows drivers to realize privileges at kernel stage.This particular device abuses mhyprot2.sys file, an anti-cheat driver for Genshin Influence, an motion role-playing sport. “By means of a easy bypassing course of, the malware can entry the kernel space by means of mhyprot2.sys,” the researchers mentioned.“The developer of Mhyprot2DrvControl offered a number of options that may be utilized with the privileges escalated by means of mhyprot2.sys. Amongst these, the risk actor used the characteristic which permits the power termination of processes to develop a malware that shuts down a number of anti-malware merchandise.”After terminating safety processes, the attackers are free to put in no matter malware they please. Generally they might simply open reverse shells, and different instances they’d set up Sliver, Gh0st RAT, or the XMRig cryptocurrency miner.The tactic is called BYOVD, or Carry Your Personal Weak Driver. Microsoft’s advice in opposition to a lot of these assaults is to allow the susceptible driver blocklist, thus stopping the system from putting in or working drivers which can be recognized to be susceptible.These are one of the best firewalls (opens in new tab) roundThrough: BleepingComputer (opens in new tab)Share this:Click to share on X (Opens in new window)XClick to share on Facebook (Opens in new window)FacebookMoreClick to print (Opens in new window)PrintClick to email a link to a friend (Opens in new window)EmailClick to share on Reddit (Opens in new window)RedditClick to share on LinkedIn (Opens in new window)LinkedInClick to share on Tumblr (Opens in new window)TumblrClick to share on Pinterest (Opens in new window)PinterestClick to share on Pocket (Opens in new window)PocketClick to share on Telegram (Opens in new window)TelegramClick to share on WhatsApp (Opens in new window)WhatsApp
