Hackers have discovered a solution to disable sure antivirus (opens in new tab) packages on Home windows units, permitting them to deploy all types of malware on the goal units.

Cybersecurity researchers AhnLab Safety noticed two such assaults final yr, the place the attackers discovered two unpatched vulnerabilities in Sunlogin, a remote-control software program constructed by a Chinese language firm, and used them to deploy an obfuscated PowerShell script that disables any safety merchandise the victims may need put in. 

The vulnerabilities being abused are tracked as CNVD-2022-10270 and CNVD-2022-03672. Each are distant code execution flaws present in Sunlogin v11.0.0.33 and earlier.

Abusing an anti-cheat driver

To abuse the issues, the attackers used proofs-of-concept that have been already launched. The PowerShell script being deployed decodes a .NET moveable executable – a tweaked Mhyprot2DrvControl open-source program that leverages susceptible Home windows drivers to realize privileges at kernel stage.

This particular device abuses mhyprot2.sys file, an anti-cheat driver for Genshin Influence, an motion role-playing sport. 

“By means of a easy bypassing course of, the malware can entry the kernel space by means of mhyprot2.sys,” the researchers mentioned.

“The developer of Mhyprot2DrvControl offered a number of options that may be utilized with the privileges escalated by means of mhyprot2.sys. Amongst these, the risk actor used the characteristic which permits the power termination of processes to develop a malware that shuts down a number of anti-malware merchandise.”

After terminating safety processes, the attackers are free to put in no matter malware they please. Generally they might simply open reverse shells, and different instances they’d set up Sliver, Gh0st RAT, or the XMRig cryptocurrency miner.

The tactic is called BYOVD, or Carry Your Personal Weak Driver. Microsoft’s advice in opposition to a lot of these assaults is to allow the susceptible driver blocklist, thus stopping the system from putting in or working drivers which can be recognized to be susceptible.

• These are one of the best firewalls (opens in new tab) round

Through: BleepingComputer (opens in new tab)