Cybersecurity researchers have shed light on an adware module that purports to block ads and malicious websites while stealthily offloading a kernel driver component that allows attackers to run arbitrary code with elevated permissions on Windows hosts.
Dubbed HotPage, the malware takes its name from an installer of the same name (“HotPage.exe”), according to new findings from ESET.
The installer “deploys a driver capable of injecting code into remote processes and two libraries capable of intercepting and manipulating browser network traffic,” ESET researcher Romain Dumont said. said in a technical analysis published today.
“The malware can modify or replace the content of the requested page, redirect the user to another page, or open a new page in a new tab under certain conditions.”
In addition to using the browser’s traffic interception and filtering functions to display game-related advertisements, it is designed to collect and output system information to a remote server associated with the Chinese company Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司). .
This is achieved by using a driver whose main task is to inject libraries into the browser application and modify their execution process to change the URL being accessed or to ensure that the home page of a new instance of the web browser is redirected to a specific URL specified in configuration.
That’s not all. Absence of any access control lists (ACL) to the driver meant that an attacker with an unprivileged account could use it to gain elevated privileges and run code as the NT AUTHORITY\System account.
“This kernel component inadvertently leaves the door open for other threats to run code at the highest level of privilege available in the Windows operating system: the System account,” Dumont said. “Due to incorrect access restrictions on this kernel component, any processes can communicate with it and use its code injection capabilities to target any vulnerable processes.”
Although the exact method of distribution of the installer is unknown, data collected by a Slovakian cybersecurity firm shows that it was advertised as a security solution for Internet cafes designed to improve user browsing by stopping ads.
The built-in driver is notable for being signed by Microsoft. The Chinese company is believed to have gone through Microsoft Driver code signing requirements and succeeded in obtaining an Extended Validation (EV) certificate. It has been removed from Windows Server directory as of May 1, 2024.
Kernel mode drivers were required digitally signed be loaded by the Windows operating system, an important layer of protection created by Microsoft to protect against malicious drivers that can be used as weapons to breach security controls and interfere with system processes.
However, Cisco Talos revealed last July, how Chinese-speaking threat actors are exploiting a loophole in Microsoft Windows policy to forge signatures on kernel-mode drivers.
“The analysis of this seemingly common malware once again proved that adware developers are still willing to go the extra mile to achieve their goals,” said Dumont.
“Not only did they develop a kernel component with a large set of methods to manipulate processes, they also went through Microsoft’s requirements to obtain a code signing certificate for their driver component.”
