Cybersecurity researchers have make clear an adware module that purports to dam advertisements and malicious web sites, whereas stealthily offloading a kernel driver part that grants attackers the flexibility to run arbitrary code with elevated permissions on Home windows hosts.
The malware, dubbed HotPage, will get its title from the eponymous installer (“HotPage.exe”), based on new findings from ESET.
The installer “deploys a driver able to injecting code into distant processes, and two libraries able to intercepting and tampering with browsers’ community visitors,” ESET researcher Romain Dumont mentioned in a technical evaluation printed right this moment.
“The malware can modify or substitute the contents of a requested web page, redirect the person to a different web page, or open a brand new web page in a brand new tab based mostly on sure circumstances.”
In addition to leveraging its browser visitors interception and filtering capabilities to show game-related advertisements, it’s designed to reap and exfiltrate system data to a distant server related to a Chinese language firm named Hubei Dunwang Community Know-how Co., Ltd (湖北盾网网络科技有限公司).
That is achieved via a driver, whose main goal is to inject the libraries into browser purposes and alter their execution circulate to vary the URL being accessed or be sure that the homepage of the brand new internet browser occasion is redirected to a selected URL laid out in a configuration.
That is not all. The absence of any entry management lists (ACLs) for the motive force meant that an attacker with a non-privileged account may leverage it to acquire elevated privileges and run code because the NT AUTHORITYSystem account.
“This kernel part unintentionally leaves the door open for different threats to run code on the highest privilege stage obtainable within the Home windows working system: the System account,” Dumont mentioned. “As a result of improper entry restrictions to this kernel part, any processes can talk with it and leverage its code injection functionality to focus on any non-protected processes.”
Though the precise methodology by which the installer is distributed will not be recognized, proof gathered by the Slovakian cybersecurity agency reveals that it has been marketed as a safety answer for web cafés that is meant to enhance customers’ shopping expertise by stopping advertisements.
The embedded driver is notable for the truth that it is signed by Microsoft. The Chinese language firm is believed to have gone by means of Microsoft’s driver code signing necessities and managed to acquire an Prolonged Verification (EV) certificates. It has been faraway from the Home windows Server Catalog as of Could 1, 2024.
Kernel-mode drivers have been required to be digitally signed to be loaded by the Home windows working system, an vital layer of protection erected by Microsoft to guard towards malicious drivers that may very well be weaponized to subvert safety controls and intervene with system processes.
That mentioned, Cisco Talos revealed final July how native Chinese language-speaking menace actors are exploiting a Microsoft Home windows coverage loophole to forge signatures on kernel-mode drivers.
“The evaluation of this somewhat generic-looking piece of malware has confirmed, as soon as once more, that adware builders are nonetheless keen to go the additional mile to attain their targets,” Dumont mentioned.
“Not solely that, they’ve developed a kernel part with a big set of strategies to control processes, however in addition they went by means of the necessities imposed by Microsoft to acquire a code-signing certificates for his or her driver part.”
