Story of a signed, vulnerable, ad-injecting driver

In late 2023, researchers discovered a malicious installer known as HotPage.exe, capable of deploying a driver that injects code into remote processes and includes libraries designed to intercept and manipulate browser network traffic. Predominantly classified as adware by security products, its key element is a Microsoft-signed driver attributed to a little-known Chinese company—Hubei Dunwang Network Technology Co., Ltd. Although it claims to enhance internet browsing security, actual functionality revolves around displaying intrusive game-related ads and gathering information about users’ systems.

The malicious software leaves systemic vulnerabilities by permitting processes to communicate with its kernel component without stringent access controls, thus enabling arbitrary code execution at the SYSTEM account level. This oversight could allow attackers to exploit the driver for privilege escalation and further malicious activity within the Windows operating system. The researchers took timely action, reporting the driver to Microsoft, which subsequently removed it from the Windows Server Catalog by May 2024, though it was already detected as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B by ESET technologies.

Investigation into the driver’s code-signing certificate unveiled that the Chinese company secured an Extended Verification (EV) certificate from Microsoft, highlighting a disturbing trend where cybercriminals exploit trust-based security models. Through various investigations, it was revealed that the malware functions not by unpacking rooted adware but instead by leveraging its signed status to execute unpermitted commands and perform actions such as opening additional browser tabs filled with advertisements.

The distribution method behind HotPage.exe is speculative; however, it may have attached itself to legitimate software packages or been marketed as a security tool for internet cafés. Upon execution, the installer establishes a driver service and interacts with components that define which browser processes to target for code injection. Analyzing the business foundation of Hubei Dunwang, it has emerged that the company lacks extensive online presence and appears affiliated with a minor advertising entity.

Throughout the configuration of HotPage, distinct threads facilitate browser interaction, one for library injection and another for navigating to ad-based URLs. Evidence suggests that the malware intricately monitors browser processes, executing specific actions dependent on conforming URLs or patterns identified within its configuration. More alarmingly, injected libraries reportedly modify browser internals and assist in data manipulation, potentially altering users’ online experiences without their consent.

The research revealed two scenarios for potential privilege escalation: one leveraging arbitrary DLL injections into processes and the other changing command lines of newly created processes. Both scenarios exploit the poorly executed ACL setup of the driver, which poses a significant security risk, allowing unwanted access via innocuous-looking applications. The analysis underscores a recurring theme in modern malware; the infusion of casual adware development with complex methods that pose significant security threats.

In summary, the investigation of HotPage malware not only unveils the myriad ways in which adware can be misused but also illustrates the risks posed by trusting digital signatures as a form of security. The explosive potential for even less sophisticated users to harness these exploits stitch a complex narrative of compromised software integrity within systems that rely on trusted channels for security. Furthermore, this case serves as an alert concerning the underlying vulnerabilities in the architecture that supports contemporary operating systems and application trust models.