Attackers deployed HotPage ad blocker adware which facilitates the stealth delivery of a Microsoft-signed kernel driver enabling arbitrary code execution in targeted Windows systems, Hacker News reports.
In addition to performing code injections into remote processes, the distributed kernel driver also allows the exfiltration of system data to a remote server connected to Hubei Dunwang Network Technology Co., Ltd, according to an ESET analysis.
Additionally, hackers with unprivileged accounts could exploit the driver’s lack of access control lists to enable privilege escalation and code execution of the NT AUTHORITY\System account, the report said. Such findings indicate the continued evolution of tactics employed by adware developers, noted Romain Dumont, a researcher at ESET.
“Not only did they develop a kernel component with a broad set of techniques to manipulate processes, but they also met the requirements imposed by Microsoft to obtain a code signing certificate for their driver component,” Dumont said.