Jump to content

Recommended Posts

Decided to post here because this has already been reported to the eset's lab email for several days but it has not been processed (or at least, the FP is still there). 

 

password: "infected"

 

the driver is from the installer downloaded here: https://honkaiimpact3.mihoyo.com/asia/en-us

sample.zip

Link to post
Share on other sites

If the installer is this file, HI3_Oversea_Setup.exe, Eset on VT doesn't detect anything. Is the detection occurring when the driver attempts to load at boot time?

Hybird-Analysis found the installer clean but noted this:

Quote

Ransomware/Banking

The input sample dropped very many files

details

The input sample dropped 882 files (often an indicator for ransomware)

source: Extracted File

relevance: 5/10

882 files?

Ref.: https://www.hybrid-analysis.com/sample/edaeb1939a9e145c2d42dcdd47f1292eaf905525dca3a1ecef48cfd2b797d4f8/5e9f0de86721d44be502cb9a

Edited by itman
Link to post
Share on other sites
15 minutes ago, itman said:

Hybird-Analysis found the installer clean but noted this:

I feel many open sandboxs' malicious rule matchers are dumb. You can throw in a slightly modified ccleaner and it will also trigger many "malicious behaviors".

 

Here it is just the driver file that gets detected by the scanner. The original installer is just a game downloader, after you install the downloader and download the game, the driver will be released to the installation directory and get quarantined by the scanner. There are indeed "legitimate" drivers using weird ways to achieve some questionable goals, and sometimes those even make system vulnerable to rootkit infection. I am not sure what's the issue in this file though.

Link to post
Share on other sites
2 minutes ago, 0xDEADBEEF said:

The original installer is just a game downloader, after you install the downloader and download the game, the driver will be released to the installation directory and get quarantined by the scanner.

Is this a kernel mode driver?

Link to post
Share on other sites

Appears Eset not alone here. At least one other AV is also flagging the driver: https://www.reddit.com/r/HonkaiImpact3rd/comments/f26zrh/vmprotect_suddenly_being_blocked_by_antivirus_is/

And it appears Eset is detecting Winnti's malware fingerprints here: https://github.com/eset/malware-ioc/tree/master/winnti_group#samples-1

Link to post
Share on other sites

Since driver development is and always was a specialty, assume the game developer contracted out its development and ongoing maintenance to a third party external source. Hack most likely occurred there.

Edited by itman
Link to post
Share on other sites

Brief summary.

Install a kernel mode driver with a backdoor built into it. If that isn't bad enough, employ an "industrial grade" backdoor for added measure. Per the above Eset linked article:

Quote

The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.

There are variants out there targeting different services and ports. They include DNS (53), HTTP (80), HTTPS (443), RDP (3389) and WinRM (5985).

 

Edited by itman
Link to post
Share on other sites

I guess I should clarify that at this point, there is no proof that the game driver via VMProtect is setting either the PortReuse or ShadowPad backdoors. Nor is there anyway for Eset to detect such activity since the activity would occur by unpacking them in Kernel memory space; an area that Eset does not have access to. 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...