Imagine installing an ad blocker that ends up displaying even more adware. To make matters worse, this “ad blocker” also steals sensitive data from the device it’s installed on, and even allows other malicious actors to run code with elevated privileges.
This is exactly what HotPage, a new adware module recently discovered by cybersecurity researchers ESET, can apparently do. In its analysis, ESET said it first spotted HotPage in late 2023 masquerading as an ad blocker, but during the installation, it “deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic.”
As a result, the malware can modify, or fully replace, the contents of a page the victim is trying to visit. It can redirect them to an entirely different page, or open a new page in a new tab, if needed.
Displaying ads, grabbing data, deploying malware
The core goal of HotPage is to display game-related ads, the researchers said. However, it can also grab system information, and send it to a remote server registered to a Chinese company Hubei Dunwang Network Technology Co., Ltd, which suggests that the campaign is of Chinese origin. Ultimately, the malware also allows non-privileged account holders to elevate their privileges and run code as the NT AUTHORITY\System account.
“This kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the System account,” the researchers said in their writeup. “Due to improper access restrictions to this kernel component, any processes can communicate with it and leverage its code injection capability to target any non-protected processes.”
ESET concluded its writeup by saying that HotPage looks generic enough, but is in fact quite sophisticated.
+ There are no comments
Add yours