In the final week of July 2022, a ransomware virus was detected in an application environment with properly configured strong encryption. It was discovered that a code-signed driver called “mhyprot2.sys,” which provides anti-cheat functions for Genshin Impact as a controller, was being abused to bypass permissions by analyzing the series. As a result, kernel-level commands terminated the threat detection processes.
As per the reports, ransomware was just the first example of such a malicious activity to be discovered. Majorly, the threat actor aimed to attack the victim’s device with spyware and thereafter, spread the infection. Investigations are being continued, to determine the scope of the driver. The reason is the integration of mbyprot2.sys into any malware, as it is quite easy.
There have previously been reports and factual data about code-signed rootkits such as Netfilter, FiveSys, and Fire Chili. These rootkits were typically signed with stolen certificates or falsely substantiated. However, when a genuine driver is used as a rootkit, the situation changes dramatically. This is also true in this case.
