Cybersecurity researchers have shed light on an adware module that purports to block ads and malicious websites, while stealthily offloading a kernel driver component that grants attackers the ability to run arbitrary code with elevated permissions on Windows hosts.
The malware, dubbed HotPage, gets its name from the eponymous installer (“HotPage.exe”), according to new findings from ESET.
The installer “deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic,” ESET researcher Romain Dumont said in a technical analysis published today.
“The malware can modify or replace the contents of a requested page, redirect the user to another page, or open a new page in a new tab based on certain conditions.”
Besides leveraging its browser traffic interception and filtering capabilities to display game-related ads, it is designed to harvest and exfiltrate system information to a remote server associated with a Chinese company named Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).
This is accomplished by means of a driver, whose primary objective is to inject the libraries into browser applications and alter their execution flow to change the URL being accessed or ensure that the homepage of the new web browser instance is redirected to a particular URL specified in a configuration.
That’s not all. The absence of any access control lists (ACLs) for the driver meant that an attacker with a non-privileged account could leverage it to obtain elevated privileges and run code as the NT AUTHORITYSystem account.
“This kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the System account,” Dumont said. “Due to improper access restrictions to this kernel component, any processes can communicate with it and leverage its code injection capability to target any non-protected processes.”
Although the exact method by which the installer is distributed is not known, evidence gathered by the Slovakian cybersecurity firm shows that it has been advertised as a security solution for internet cafés that’s intended to improve users’ browsing experience by stopping ads.
The embedded driver is notable for the fact that it’s signed by Microsoft. The Chinese company is believed to have gone through Microsoft’s driver code signing requirements and managed to obtain an Extended Verification (EV) certificate. It has been removed from the Windows Server Catalog as of May 1, 2024.
Kernel-mode drivers have been required to be digitally signed to be loaded by the Windows operating system, an important layer of defense erected by Microsoft to protect against malicious drivers that could be weaponized to subvert security controls and interfere with system processes.
That said, Cisco Talos revealed last July how native Chinese-speaking threat actors are exploiting a Microsoft Windows policy loophole to forge signatures on kernel-mode drivers.
“The analysis of this rather generic-looking piece of malware has proven, once again, that adware developers are still willing to go the extra mile to achieve their goals,” Dumont said.
“Not only that, they have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component.”
