Warning: HotPage Malware Masquerading as Ad Blocker Installs Unwanted Kernel Driver
A group of cybersecurity analysts has come across a type of malicious software that claims to block advertisements and unsafe websites, all while covertly introducing a kernel driver part that gives hackers the ability to execute unauthorized commands with elevated privileges on Windows systems.
HotPage, the name of the malware, originates from the installer known as “HotPage.exe,” as per recent discoveries made by ESET.
The installation file “includes a driver that can inject code into distant processes, along with two libraries capable of intercepting and tampering with web browser network activity,” reported ESET analyst Romain Dumont in a technical report released today.
“The malware is capable of altering or substituting the content of pages that are requested, redirecting users to alternate pages, or opening new pages in new tabs based on specific conditions.”
Aside from utilizing its network traffic interception and filtering functions to showcase ads related to games, the malware is built to gather system details and send them to a remote server linked with a Chinese firm called Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).
This is achieved through a driver whose main purpose is to insert the libraries into web browser applications and change their sequence of actions to either modify the URL being accessed or ensure that the homepage of a new web browser instance is directed toward a specific URL outlined in a setup.
That’s not all. Due to the absence of any access control listings (ACLs) for the driver, unauthorized individuals with non-administrator accounts could use it to acquire elevated privileges and execute code as the NT AUTHORITYSystem user.
“This kernel portion inadvertently opens the door for other risks to execute code at the highest authority level within the Windows OS: the System user,” noted Dumont. “Because of the lack of proper restrictions on access to this kernel component, any processes can communicate with it and leverage its code injection capacity to target unshielded processes.”
Although the specific method of distributing the installer remains unknown, evidence collected by the Slovakian cybersecurity company suggests that it has been promoted as a security tool for internet cafes aimed at enhancing users’ browsing experience by blocking ads.
The embedded driver draws attention for being signed by Microsoft. The Chinese firm is believed to have met Microsoft’s driver code signing criteria and received an Extended Verification (EV) certificate. It has been delisted from the Windows Server Catalog starting from May 1, 2024.
For Windows to load kernel-mode drivers, they must be digitally signed, serving as a crucial security barrier set up by Microsoft to combat malicious drivers that could be exploited to bypass security measures and interfere with system operations.
However, Cisco Talos disclosed last July how threat actors fluent in Chinese are taking advantage of a loophole in a Microsoft Windows policy to falsify kernel-mode driver signatures.
“The examination of this seemingly ordinary malware has once again demonstrated that developers of malicious adware are still willing to put in extra effort to achieve their objectives,” stated Dumont.
“Not only have they created a kernel component with numerous techniques to manipulate processes, but they have also complied with Microsoft’s requirements to secure a code-signing certificate for their driver component.”
About Author
