0xDEADBEEF 43 Posted April 21, 2020 Share Posted April 21, 2020 Decided to post here because this has already been reported to the eset's lab email for several days but it has not been processed (or at least, the FP is still there). password: "infected" the driver is from the installer downloaded here: https://honkaiimpact3.mihoyo.com/asia/en-us sample.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted April 21, 2020 Administrators Share Posted April 21, 2020 The detection is correct. The purpose of the driver is questionable and having such driver running in the system is risky. You can exclude the file from detection, however. 0xDEADBEEF 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 (edited) If the installer is this file, HI3_Oversea_Setup.exe, Eset on VT doesn't detect anything. Is the detection occurring when the driver attempts to load at boot time? Hybird-Analysis found the installer clean but noted this: Quote Ransomware/Banking The input sample dropped very many files details The input sample dropped 882 files (often an indicator for ransomware) source: Extracted File relevance: 5/10 882 files? Ref.: https://www.hybrid-analysis.com/sample/edaeb1939a9e145c2d42dcdd47f1292eaf905525dca3a1ecef48cfd2b797d4f8/5e9f0de86721d44be502cb9a Edited April 21, 2020 by itman Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted April 21, 2020 Author Share Posted April 21, 2020 15 minutes ago, itman said: Hybird-Analysis found the installer clean but noted this: I feel many open sandboxs' malicious rule matchers are dumb. You can throw in a slightly modified ccleaner and it will also trigger many "malicious behaviors". Here it is just the driver file that gets detected by the scanner. The original installer is just a game downloader, after you install the downloader and download the game, the driver will be released to the installation directory and get quarantined by the scanner. There are indeed "legitimate" drivers using weird ways to achieve some questionable goals, and sometimes those even make system vulnerable to rootkit infection. I am not sure what's the issue in this file though. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 2 minutes ago, 0xDEADBEEF said: The original installer is just a game downloader, after you install the downloader and download the game, the driver will be released to the installation directory and get quarantined by the scanner. Is this a kernel mode driver? Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 Appears Eset not alone here. At least one other AV is also flagging the driver: https://www.reddit.com/r/HonkaiImpact3rd/comments/f26zrh/vmprotect_suddenly_being_blocked_by_antivirus_is/ And it appears Eset is detecting Winnti's malware fingerprints here: https://github.com/eset/malware-ioc/tree/master/winnti_group#samples-1 0xDEADBEEF 1 Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted April 21, 2020 Author Share Posted April 21, 2020 30 minutes ago, itman said: And it appears Eset is detecting Winnti's malware fingerprints here: https://github.com/eset/malware-ioc/tree/master/winnti_group#samples-1 this looks interesting... Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 (edited) Since driver development is and always was a specialty, assume the game developer contracted out its development and ongoing maintenance to a third party external source. Hack most likely occurred there. Edited April 21, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 Assume those aren't ears but rather (devil) horns.😈 Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted April 21, 2020 Author Share Posted April 21, 2020 7 minutes ago, itman said: Assume those aren't ears but rather (devil) horns 🤣🤣 🤣 Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 Linking supply-chain events Ref.: https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 21, 2020 Share Posted April 21, 2020 (edited) Brief summary. Install a kernel mode driver with a backdoor built into it. If that isn't bad enough, employ an "industrial grade" backdoor for added measure. Per the above Eset linked article: Quote The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix. There are variants out there targeting different services and ports. They include DNS (53), HTTP (80), HTTPS (443), RDP (3389) and WinRM (5985). Edited April 21, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 22, 2020 Share Posted April 22, 2020 I guess I should clarify that at this point, there is no proof that the game driver via VMProtect is setting either the PortReuse or ShadowPad backdoors. Nor is there anyway for Eset to detect such activity since the activity would occur by unpacking them in Kernel memory space; an area that Eset does not have access to. Link to comment Share on other sites More sharing options...
Recommended Posts