Cybersecurity analysts have uncovered a piece of adware posing as an ad blocker and protective tool against harmful websites. However, this software clandestinely installs a kernel driver that permits attackers to execute unauthorized code with elevated privileges on Windows systems.
The malicious program, known as HotPage, derives its name from the installer file (“HotPage.exe”), according to recent discoveries made by ESET.
The installer “drops a driver that can inject code into distant processes, together with two libraries capable of capturing and manipulating the network traffic of browsers,” detailed ESET researcher Romain Dumont in a technical report released today.
“The adware has the capability to alter or substitute the content of a requested webpage, direct users to another page, or launch a new page in a fresh tab under specific conditions.”
Aside from utilizing its capabilities to intercept and filter browser traffic for displaying gaming-related advertisements, the adware is engineered to collect and transmit system data to a remote server linked to a Chinese entity called Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).
This procedure is made possible through a driver, primed to inject the libraries into browser applications and modify their execution paths to adjust the accessed URL or enforce redirection of the homepage of the new browser session to a specific URL specified in a configuration.
But that’s not all. The absence of any access privileges lists (ACLs) for the driver allowed a non-privileged user to exploit it for gaining elevated privileges and executing code as the NT AUTHORITYSystem account.
“This kernel component inadvertently exposes an opportunity for other threats to run code at the most elevated privilege level accessible within the Windows OS: the System account,” remarked Dumont. “Due to the inadequate access restrictions on this kernel component, any processes can communicate with it and utilize its ability to inject code to target unprotected processes.”
While the distribution method of the installer remains undisclosed, data compiled by the Slovakian cybersecurity company suggests that it has been promoted as an internet café security solution aimed at enhancing users’ browsing experience by blocking advertisements.
The embedded driver stands out for being officially signed by Microsoft. The Chinese corporation is thought to have complied with Microsoft’s driver code signing prerequisites and successfully secured an Extended Verification (EV) certificate. However, it has since been delisted from the Windows Server Catalog as of May 1, 2024.
Kernel-mode drivers must be duly signed to be loaded onto the Windows OS, representing a crucial defense layer established by Microsoft to counteract vicious drivers that could be exploited to subvert security protocols and disrupt system operations.
Nevertheless, Cisco Talos exposed last July how native Chinese-speaking threat actors are taking advantage of a Microsoft Windows policy gap to falsify signatures on kernel-mode drivers.
“The evaluation of this seemingly run-of-the-mill malware has revealed, once more, the extent to which adware developers are ready to push boundaries,” noted Dumont.
“Not only have they devised a kernel component equipped with an extensive array of techniques for manipulating processes, but they have also met the criteria established by Microsoft to acquire a code-signing certificate for their driver module.”
About Author
