Cybersecurity experts have identified a deceptive advertising module that, under the guise of blocking adverts and harmful websites, secretly installs a kernel driver component. This allows attackers to execute arbitrary code with elevated privileges on Windows systems.

You might be interested in: Managed Detection and Response (MDR): What is it?

HotPage Malware Unveiled

ESET’s recent research has revealed the HotPage malware, named after its installer (“HotPage.exe”). The installer deploys a driver capable of injecting code into remote processes and includes two libraries that intercept and manipulate browser network traffic.

Technical Analysis

Romain Dumont, an ESET researcher, explained in a technical investigation that the HotPage malware can modify or replace the contents of a web page, redirect users to different pages, or open new tabs based on specific conditions. In addition to displaying game-related adverts, HotPage collects and sends system information to a remote server associated with a Chinese company, Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).

Driver Exploitation

The primary function of the HotPage malware driver is to inject libraries into browser applications, altering their execution flow to change accessed URLs or redirect browser homepages. The driver’s lack of access control lists (ACLs) allows attackers with non-privileged accounts to gain elevated privileges and execute code as the NT AUTHORITY\System account.

Security Implications

“This kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the System account,” Dumont noted. “Due to improper access restrictions to this kernel component, any processes can communicate with it and leverage its code injection capability to target any non-protected processes.”

Distribution and Impact

While the exact delivery mechanism of the installer remains unknown, data from the Slovakian cybersecurity firm suggests it has been marketed as a security solution for internet cafés, aiming to enhance users’ browsing experience by blocking adverts. The embedded driver is particularly noteworthy as it is signed by Microsoft, indicating that the Chinese company met Microsoft’s driver code signing standards and obtained an Extended Verification (EV) certificate. However, the driver was removed from the Windows Server Catalog on May 1, 2024.

Microsoft’s Defense Layer

Kernel-mode drivers must be digitally signed before being loaded by the Windows operating system, a crucial defense mechanism implemented by Microsoft to prevent malicious drivers from bypassing security measures and interfering with system operations. However, last July, Cisco Talos discovered that native Chinese-speaking threat actors were exploiting a Microsoft Windows policy vulnerability to falsify signatures on kernel-mode drivers.

Conclusion

“The analysis of this rather generic-looking piece of malware has proven, once again, that adware developers are still willing to go the extra mile to achieve their goals,” Dumont remarked at a conference. “Not only have they developed a kernel component with extensive techniques to manipulate processes, but they also complied with Microsoft’s requirements to obtain a code-signing certificate for their driver component.” The presence and impact of the HotPage malware underscore the evolving nature of cybersecurity threats and the lengths malicious actors will go to exploit system vulnerabilities.