Malware aimed at Chinese-speaking people that passed itself off as a tool for improving the web browsing experience by blocking ads and malicious websites not only changed the content of a requested page or steered users to another one but also collected system information and allowed other bad actors to escalate privileges and run malicious code in Windows systems.

Researchers with cybersecurity firm ESET noted that most security products detected the embedded HotPage installer – which was signed by Microsoft – as adware, but that a look under the hood revealed more sinister capabilities.

The malware illustrates the lengths to which bad actors will go to slip their malicious code into systems and some of the inherent weaknesses in security models, according to Romain Dumont, malware researcher at ESET.

“The HotPage driver reminds us that abusing Extended Verification certificates is still a thing,” Dumont wrote in a report Thursday. “As a lot of security models are at some point based on trust; threat actors are inclined to play along the line between legitimate and shady. Whether such software is advertised as a security solution or simply bundled with other software, the capabilities granted thanks to this trust expose users to security risks.”

A Deeper Look into HotPage

ESET at the end of 2023 came across the HotPage malware, which was being detected by security products as adware. However, researchers looked into the embedded driver that had been signed by Microsoft, finding it was developed by a Chinese company called Hubei Dunwang Network Technology Co., an organization they could find little information about.

The software was advertised as an “internet café security solution” for Chinese-speaking individuals and claiming to block ads and dangerous websites. What the researchers found was a dangerous piece of multi-faceted malware.

“On top of its obvious mischievous behavior, this kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the SYSTEM account,” Dumont wrote. “Due to improper access restrictions to this kernel component, any processes can communicate with it and leverage its code injection capability to target any non-protected processes.”

ESET reported the driver to Microsoft March 18 and the driver was removed from the Windows Server Catalog May 1.

Went Through the Microsoft Process

When executed the HotPage malware loads the driver onto Windows, a process that since the 64-bit version of Windows 7 has required a signature from Microsoft. The security and compatibility process is built on trust and has been abused, he wrote. The Chinese company went through the steps and obtained an Extended Verification certificate.

The company submitted its drivers under various product categories and appears to have developed two network filtering programs – a netfilter and the HotPage driver, which is referred to as adsafe. Investigating the Chinese company online, the researchers only found that it was created in January 2022, had an email address, and offered tech-related activities like development, services, and consulting, as well as advertising functions. Its primary shareholder is a small Chinese ad and marketing company. A website was created in February 2022 and a couple of months later the company applied for the trade name Shield Internet Café Security Defense.

It’s still unclear how the HotPage malware is distributed, though it may come bundled with another software package or advertised as a security product.

“The installer drops the driver on disk and starts a service to execute it,” Dumont wrote. “It decrypts its configuration file, which contains a list of target Chromium-based browsers and libraries. If such executables are found running or being loaded, the driver tries to inject one of the listed libraries into the browser process. After hooking network-based Windows API functions, the injected library checks the URL being accessed and under certain conditions, it displays another page to the user through diverse means.”

Collecting Information and Opening Doors

The installer comes as a UPX-compressed file and includes the encrypted versions of the driver, libraries that will be injected into the browser processes and three JSON-formatted configuration files that contain targeted browsers and libraries, filtering rules, an API endpoint for sending details about the system and another for managing configuration updates.

The malware checks to see if it’s running in a virtualized environment, decrypts the driver, creates a name followed by the .sys extension, and then a service to load the driver. It targets endpoints, collects information like the computer name, network interface MAC address, version of the operating system, and screen dimensions, then sends the information to a remote server through a HTTP POST request.

The driver injects libraries via the open source Blackbone Project into browser applications and alters their execution flow to change the URL being accessed by the user or opens a page in a new tab. Notification routine are set to monitor newly created processes and executable images that are downloaded.

Privilege Execution

The ESET researchers developed a proof-of-concept Python script that proved two scenarios where individuals could be allowed to escalate their privileges through the HotPage driver to run code as the NT AUTHORITY/Systems. One involved using arbitrary DLL injection in arbitrary processes, the other changing the command line of newly created processes.

The adware itself can be annoying, Dumont wrote, adding that the malware delivers more dangerous threats by allowing an attacker with a non-privileged account to use the driver to obtain SYSTEM privileges or introduced libraries into remote processes, causing further damage.

“The analysis of this rather generic-looking piece of malware has proven, once again, that adware developers are still willing to go the extra mile to achieve their goals,” he wrote. “Not only that, these have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component.”