ESET researchers recently uncovered the HotPage malware [8], a deceptive advertising module posing as adware and distributed through an installer named HotPageexe.

Description

This sophisticated Chinese browser injector includes a kernel driver component that allows attackers to run arbitrary code with elevated permissions on Windows hosts [1] [3] [6] [7]. The malware, signed by Microsoft and developed by Hubei Dunwang Network Technology Co [5] [8] [9], Ltd, was removed from the Windows Server Catalog after ESET reported the vulnerability to Microsoft. The malware masquerades as a security product but actually introduces new ads and vulnerabilities [4], leaving the system open to further threats [4]. It injects code into remote processes [1] [2] [3] [4] [5] [6] [7] [10] [11], intercepts browser network traffic [1] [2] [3] [5] [6] [7] [10], and redirects users to malicious websites [3]. The embedded driver [2], despite being signed by Microsoft [3], was found to exploit vulnerabilities in signed drivers to manipulate processes and escalate privileges [8], highlighting the security risks associated with malicious code injection and the abuse of code-signing certificates [8]. The malware’s installation process involves dropping a driver on the disk [2], decrypting configuration files [2], and injecting libraries into Chromium-based browsers [2] [4]. The kernel component of the malware allows attackers to obtain system-level privileges and run code as the NT AUTHORITYSystem account due to inadequate access restrictions. This vulnerability exposes systems to security risks [1] [2], enabling attackers to gain system-level privileges or inject malicious code into processes [2] [4]. The malware, known as a fake ad blocker, connects to a C2 server for malicious activities and lacks access restrictions [9], allowing arbitrary code injection at the system level [9]. Users should be cautious even with programs deemed trustworthy [9], as Microsoft’s code signing process can be abused [9]. It is recommended to isolate programs and restrict their privileges as much as possible to defend against such threats, along with regularly updating software, using comprehensive security solutions [1] [2] [3] [4] [6] [11], and maintaining strict access controls [2]. The presence of the HotPage malware highlights the evolving nature of cybersecurity threats and the lengths malicious actors will go to exploit system vulnerabilities [10]. The malware collects system information and communicates with a remote server associated with Hubei Dunwang Network Technology Co [1], Ltd. The Chinese company behind the malware obtained an Extended Validation certificate from Microsoft [1], bypassing the requirement for digitally signed kernel mode drivers to be loaded by the Windows operating system [1]. This loophole in Microsoft’s policy has been exploited by threat actors to forge signatures on kernel-mode drivers [1], emphasizing the need for comprehensive security solutions and access controls to mitigate the risks posed by malicious code injection [1]. Researchers have discovered a new malware called HotPageexe [2] [5] [11], first detected in late 2023 [5]. Disguised as a web browsing enhancer [5], it actually injects code into a remote process and intercepts browser traffic [1] [2] [3] [5] [6] [7] [11]. ESET reported this vulnerability to Microsoft in March 2024 [2] [5], leading to the removal of the problematic driver from the Windows Server catalog in May 2024 [5]. ESET has identified threats WinHotPageA and WinHotPageB as a result [5]. Further investigation revealed kernel-mode driver vulnerabilities in NVIDIA and Arm products [5], prompting them to address bugs [5]. The company behind the malware has a questionable background [5], with its domain dwadsafecom currently offline [5].

Conclusion

The HotPage malware poses significant security risks by exploiting vulnerabilities in signed drivers and injecting malicious code into processes. To mitigate these risks [1], users should implement comprehensive security solutions, regularly update software [2], and maintain strict access controls [2]. The abuse of code-signing certificates highlights the need for enhanced security measures to prevent malicious code injection. The evolving nature of cybersecurity threats underscores the importance of staying vigilant and proactive in defending against such threats.

References

[1] https://indoguardonline.com/2024/07/18/hotpage-adware-installs-a-malicious-kernel-driver-under-the-guise-of-an-ad-blocker/
[2] https://www.infosecurity-magazine.com/news/hotpage-hijacks-browsers-microsoft/
[3] https://www.443news.com/2024/07/hotpage-adware-disguised-as-ad-blocker-installs-malicious-kernel-driver/
[4] https://www.eset.com/int/about/newsroom/press-releases/research/chinese-hotpage-browser-injector-is-capable-of-replacing-web-content-and-opens-the-system-to-other-vulnerabilities-eset-research-discovers/
[5] https://leymarcodeciberseguridad.cl/el-malware-hotpage-secuestra-navegadores-con-controladores-firmados-por-microsoft/
[6] https://patabook.com/technology/2024/07/18/alert-hotpage-adware-disguised-as-ad-blocker-installs-malicious-kernel-driver/
[7] https://www.redpacketsecurity.com/alert-hotpage-adware-disguised-as-ad-blocker-installs-malicious-kernel-driver/
[8] https://securityboulevard.com/2024/07/eset-chinese-adware-opens-windows-systems-to-more-threats/
[9] https://www.darkreading.com/threat-intelligence/microsoft-signed-chinese-adware-opens-the-door-to-kernel-privileges
[10] https://rhyno.io/blogs/cybersecurity-news/hotpage-malware-exploits-kernel-driver-on-windows-systems/
[11] https://thehackernews.com/2024/07/alert-hotpage-adware-disguised-as-ad.html