Cyber security news for all

More

    Alert: HotPage Adware Masquerading as Ad Blocker Installs Malicious Kernel Driver

    Cybersecurity experts have exposed an adware module that poses as an ad blocker while secretly installing a kernel driver, allowing attackers to execute arbitrary code with elevated permissions on Windows systems.

    This malware, named HotPage, is identified through its installer “HotPage.exe,” according to new research by ESET.

    “The installer deploys a driver that can inject code into remote processes and two libraries that can intercept and manipulate browser network traffic,” ESET researcher Romain Dumont revealed in a technical analysis published today.

    “The malware can alter or replace the content of a requested page, redirect the user to another page, or open a new page in a new tab based on specific conditions.”

    In addition to using its browser traffic interception and filtering capabilities to display game-related ads, it is designed to collect and exfiltrate system information to a remote server linked to a Chinese company called Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).

    This is achieved through a driver that injects libraries into browser applications, altering their execution flow to change the URL being accessed or ensure the homepage of the new browser instance is redirected to a particular URL specified in a configuration.

    Moreover, the lack of access control lists (ACLs) for the driver means that an attacker with a non-privileged account could exploit it to gain elevated privileges and run code as the NT AUTHORITY\System account.

    “This kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the System account,” Dumont explained. “Due to improper access restrictions to this kernel component, any process can communicate with it and leverage its code injection capability to target any non-protected processes.”

    While the exact distribution method of the installer remains unknown, evidence from the Slovakian cybersecurity firm suggests it has been promoted as a security solution for internet cafés, aimed at enhancing users’ browsing experience by blocking ads.

    Notably, the embedded driver is signed by Microsoft. The Chinese company is believed to have navigated Microsoft’s driver code signing requirements and secured an Extended Verification (EV) certificate. It has been removed from the Windows Server Catalog as of May 1, 2024.

    Kernel-mode drivers must be digitally signed to be loaded by the Windows operating system, a critical defense established by Microsoft to protect against malicious drivers that could undermine security controls and interfere with system processes.

    However, last July, Cisco Talos revealed that native Chinese-speaking threat actors are exploiting a Microsoft Windows policy loophole to forge signatures on kernel-mode drivers.

    “The analysis of this seemingly ordinary piece of malware has once again demonstrated that adware developers are willing to go to great lengths to achieve their goals,” Dumont stated.

    “Not only have they developed a kernel component with extensive techniques to manipulate processes, but they also navigated Microsoft’s requirements to obtain a code-signing certificate for their driver component.”

    Recent Articles

    Related Stories