Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver
Summary:
ESET researchers unearthed a malicious program called HotPage that poses as an ad blocker. HotPage dupes users by promising to eliminate ads and malicious websites. However, it surreptitiously installs a kernel driver that grants attackers unrestricted access to run any code on a compromised Windows machine. This driver can manipulate web traffic by injecting code into web browsers, enabling attackers to modify web pages or redirect users entirely. HotPage further compromises systems by stealing system information and transmitting it to a server linked to a Chinese company. The malware capitalizes on a driver with improperly configured access controls, making it vulnerable to exploitation by any program, and granting it the highest level of privileges within the Windows system. While the exact distribution method remains unclear, evidence suggests it was advertised as a security solution for internet cafes. Kernel-mode drivers have been required to be digitally signed to be loaded by the Windows operating system, an important layer of defense erected by Microsoft to protect against malicious drivers that could be weaponized to subvert security controls and interfere with system processes. Notably, the driver was signed by Microsoft using an Extended Verification (EV) certificate, raising concerns about potential weaknesses in the code-signing process.
Security Officer Comments:
The HotPage incident underscores the concerning evolution of adware development. HotPage exemplifies an unsettling trend where adware developers are increasingly resorting to sophisticated techniques, including a kernel driver with extensive process manipulation capabilities and a legitimate code-signing certificate. This incident serves as a reminder of the importance of user vigilance, particularly when encountering software that offers seemingly unrealistic benefits. Security professionals must remain acutely aware of potential code-signing vulnerabilities and implement additional security measures to identify and prevent unauthorized driver installations. The stealing of sensitive data from compromised systems and subsequent delivery of the data to a Chinese company-owned server is an indicator of potential state-sponsored activity. This campaign highlights the potential for social engineering tactics used to distribute malware. Masquerading as legitimate software, HotPage specifically targeted internet cafes, a location where users might be more susceptible to trusting unfamiliar applications. Security awareness training for users in such environments can be a crucial line of defense against these deceptive tactics. While Microsoft requires kernel-mode drivers to be digitally signed for loading by the Windows operating system, the ability for malicious actors to potentially exploit loopholes or obtain certificates necessitates a multi-layered approach to security.
Suggested Corrections:
- User Education: Raising awareness about HotPage's deceptive tactics is paramount. Users, especially those in internet cafes, should be wary of downloading software that promises unrealistic benefits like complete ad blocking.
- Security Software: Utilize robust antivirus and anti-malware software that can detect and block malicious programs like HotPage. Regularly update these programs to ensure they have the latest threat definitions.
- Driver Management: Implement stricter driver management policies. Restrict non-administrative users from installing or modifying drivers.
- System Updates: Maintain a consistent update schedule for the Windows operating system and all installed applications.
- Code Signing Verification: While Microsoft code signing offers a layer of security, it shouldn't be the sole reliance. Employ additional verification methods to scrutinize driver legitimacy before installation.
IOCs for this threat are published here.
Link(s):
https://thehackernews.com/2024/07/alert-hotpage-adware-disguised-as-ad.html
https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/