Fake Ad Blocker Capable of Running Arbitrary code on Windows Systems

0
17χλμ.

ESET specialists have discovered an advertising malware that is distributed under the guise of an ad blocker. The malware silently loads a kernel driver component, allowing attackers to run arbitrary code with elevated privileges on Windows hosts.

The malware, dubbed HotPage (from the HotPage.exe installer of the same name), has been active since the end of 2023. The exact distribution method of the malware installer is unknown, but it appears to be being advertised as a security solution for internet cafes designed to improve web browsing and block ads.

 
The researchers say that this installer deploys a driver capable of injecting code into remote processes, as well as two libraries capable of intercepting and interfering with network traffic from browsers.

"As a result, the malware is capable of modifying and replacing the content of the requested page, redirecting the user to another page, or opening a new page in a new tab based on certain criteria," the experts write.
In addition to its ability to intercept and filter traffic to display unwanted ads (mainly related to games), the malware is designed to collect and steal system information. The collected data is transmitted to a remote server associated with the Chinese company Hubei Dunwang Network Technology Co., Ltd (湖北盾网网络科技有限公司).

This is done by using a driver whose primary purpose is to inject libraries into browser applications and modify the process of running them (for the sake of spoofing URLs and redirecting browsers' home pages to a specific URL specified in the settings).

Moreover, the lack of an ACL (Access Control List) for this driver allowed attackers with an unprivileged account to gain elevated privileges and run code with System-level privileges.

"This kernel component inadvertently opens the door to threats related to the execution of code with the highest level of privilege in the Windows operating system: the System account. Due to incorrectly implemented restrictions of this kernel component, an attacker with an unprivileged account could gain elevated privileges and run code on behalf of the NT AUTHORITY\System account," ESET warns.
Also, the mentioned driver is notable for the fact that it is signed by Microsoft. It is assumed that the Chinese company was able to pass Microsoft checks and received an Extended Verification (EV) certificate. It was removed from the Windows Server Catalog only on May 1, 2024, after a warning from researchers.

Αναζήτηση
Κατηγορίες
Διαβάζω περισσότερα
Mental Health
Psychosis: Negative Symptoms [2]
Psychosis is associated with ventral striatal (VS) which is the part of the brain that is...
από Kelsey Rodriguez 2023-06-07 14:46:23 0 11χλμ.
Personal Finance
How to Improve Your Credit Score — and Why It’s Central to Smart Money Management
How to Improve Your Credit Score — and Why It’s Central to Smart Money Management...
από Leonard Pokrovski 2025-11-10 18:36:01 0 8χλμ.
Productivity
How do I balance work and personal life?
How Do I Balance Work and Personal Life? Balancing work and personal life is not about splitting...
από Michael Pokrovski 2026-03-04 21:42:04 0 20χλμ.
Телевидение
Музыка Мода ТВ Прямой эфир.
Музыка Мода ТВ - российский музыкально-развлекательный телеканал, который создан 29 июня 2021...
από Nikolai Pokryshkin 2022-11-25 17:46:26 0 36χλμ.
Personal Finance
Can I Itemize Deductions or Should I Take the Standard Deduction?
Can I Itemize Deductions or Should I Take the Standard Deduction? Which Is Better for My...
από Leonard Pokrovski 2025-11-21 19:29:25 0 14χλμ.

BigMoney.VIP Powered by Hosting Pokrov