HotPage Malware Hijacks Browsers With Signed Microsoft Driver

Researchers have uncovered a new form of malware called HotPage.exe.

Initially detected at the end of 2023, this malware masquerades as an installer that ostensibly improves web browsing by blocking ads and malicious websites. 

However, it actually injects code into remote processes and intercepts browser traffic. As described in an advisory published by ESET earlier today, the malware can modify, replace or redirect web content and open new tabs based on specific conditions.

Interestingly, HotPage.exe’s embedded driver was signed by Microsoft but attributed to a Chinese company named Hubei Dunwang Network Technology Co., Ltd. 

This raised red flags due to the scant information available about the company. Marketed as an “Internet café security solution” to Chinese-speaking users, the software was purportedly designed to enhance the browsing experience. 

Instead, it redirects users to game-related ads and collects data about the user’s computer for statistical purposes.

ESET reported this vulnerability to Microsoft on March 18 2024, following the coordinated vulnerability disclosure process. Microsoft removed the offending driver from the Windows Server Catalog on May 1 2024. ESET has since labeled this threat Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.

Read more on kernel-mode driver vulnerabilities: NVIDIA and Arm Urge Customers to Patch Bugs

Further investigations revealed that Hubei Dunwang Network Technology Co., Ltd. exploited Microsoft’s driver code-signing requirements to obtain an Extended Verification (EV) certificate. 

ESET said this underscores ongoing abuses of the trust-based system for driver signing. The company, registered in early 2022, has a murky background, and its domain, dwadsafe.com, is now offline. 

Technical Breakdown of the HotPage Malware

From a technical standpoint, the malware’s installation process involves dropping a driver on the disk, decrypting configuration files and injecting libraries into Chromium-based browsers. 

The driver manipulates browser traffic by hooking into network-based Windows API functions, altering URLs or opening new tabs with ad-filled content.

A critical issue with this malware is its kernel component, which inadvertently allows other threats to execute code at the highest privilege level in the Windows operating system. 

This is due to inadequate access restrictions, enabling any process to communicate with the kernel component and exploit its code injection capabilities. 

The broader implications of this technique are notable for the cybersecurity industry. The use of a legitimate, signed driver by malware not only facilitates intrusive adware but also exposes systems to further security risks. 

Attackers could exploit this vulnerability to gain system-level privileges or inject malicious code into processes, leveraging the trust inherently placed in signed drivers. 

To defend against threats like this, security researchers suggest regularly updating software, using comprehensive security solutions and maintaining strict access controls.