Researchers have discovered a new form of malware called HotPage.exe.
Initially detected in late 2023, this malware masquerades as an installer that ostensibly improves web browsing by blocking ads and malicious websites.
In reality, it injects code into remote processes and intercepts browser traffic. As described in an advisory published by ESET earlier today, the malware can modify, replace or redirect web content and open new tabs based on specific conditions.
Interestingly, the built-in driver for HotPage.exe was signed by Microsoft but attributed to a Chinese company named Hubei Dunwang Network Technology Co., Ltd.
The situation has raised concerns due to the limited information available about the company. Marketed as an “Internet cafe security solution” aimed at Chinese-speaking users, the software was supposed to improve the browsing experience.
Instead, it redirects users to game-related advertisements and collects data about the user’s computer for statistical purposes.
ESET reported this vulnerability to Microsoft on March 18, 2024, following the Coordinated Vulnerability Disclosure Process. Microsoft removed the offending driver from the Windows Server Catalog on May 1, 2024. ESET has since labeled this threat Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.
Learn more about kernel-mode driver vulnerabilities: NVIDIA and Arm urge customers to fix bugs
Further investigations revealed that Hubei Dunwang Network Technology Co., Ltd. exploited Microsoft’s driver code signing requirements to obtain an Extended Verification (EV) certificate.
According to ESET, this highlights the ongoing abuse of the trust-based system for signing drivers. The company, registered in early 2022, has a shady history and its domain, dwadsafe.com, is now offline.
Technical analysis of HotPage malware
From a technical point of view, the malware installation process involves dropping a driver on disk, decrypting configuration files, and injecting libraries into Chromium-based browsers.
The driver manipulates browser traffic by hooking into network-based Windows API functions, modifying URLs, or opening new tabs with ad-filled content.
A critical issue with this malware is its kernel component, which inadvertently allows other threats to execute code at the highest privilege level in the Windows operating system.
This is due to inadequate access restrictions, allowing any process to communicate with the kernel component and exploit its code injection capabilities.
The broader implications of this technique are notable for the cybersecurity industry. Using a legitimate driver signed by malware not only facilitates the use of intrusive adware, but also exposes systems to other security risks.
Attackers could exploit this vulnerability to gain system-level privileges or inject malicious code into processes by exploiting the inherent trust in signed drivers.
To defend against such threats, security researchers suggest regularly updating software, using comprehensive security solutions, and maintaining strict access controls.