Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges

Researchers have stumbled upon a fake ad blocker marketed to Internet cafés in China that, in fact, conceals sophisticated, multifaceted, kernel-level malware.

"HotPage.exe," present on VirusTotal since at least late last year, was approved and signed by Microsoft and developed by what seemed to be a real corporation. Still, security products flag it as adware, and, in truth, it is even worse than that.

Instead of removing ads, it introduces many more of them by intercepting web traffic and redirecting and manipulating content in victims' browsers. Meanwhile, it drops a vulnerable system-level driver that could allow any attacker wandering by to execute malicious code with the highest possible privileges.

According to its new report, ESET reported HotPage to Microsoft on March 18. Microsoft removed it from the Windows Server Catalog on May 1.

HotPage Can Be Weaponized Easily

It's unclear as yet how HotPage is delivered to victims. Its product documentation indicates that it's marketed as a security product, which makes sense, seeing as it requires significant privileges to drop its vulnerable driver to the disk.

That driver is the source of all kinds of trouble. It injects libraries into targeted browser applications, and hooks network-based Windows API functions in order to intercept and modify browser activity, redirecting or opening new ad-stuffed web pages on the victim's screen. It connects with a command-and-control (C2) server to send back information about the victim, and retrieve relevant data for the attack.

Worse, though, is that this kernel-mode component lacks proper access restrictions, in effect allowing any running process to communicate with it. It's not clear whether this was designed intentionally or not, but either way, the result is the same: Any attacker could weaponize HotPage for their own purposes.

It's worth noting, then, how HotPage hooks the Windows API function "SetProcessMitigationPolicy," which is used for applying security policies to processes. In so doing, the malware blocks any security policies that might otherwise be applied to it, enabling arbitrary code injection at the system level.

How HotPage Malware Got its Veneer of Legitimacy

According to its official signature, HotPage was developed by Hubei Dunwang Network Technology Co. Ltd. The company was first registered on Jan. 6, 2022, with the stated purpose of providing technology-related services, including development, consulting, and advertising. Its website — a barebones form with three fields and a QR code — is no longer live.

How could Microsoft's code signing process be so lax as to allow through such a shady company and its blatant malware? Dark Reading reached out to Microsoft for comment on this point, but the reality is that code signing is regularly abused in any number of ways.

"In a rather simple scenario," explains Romain Dumont, malware researcher for ESET, "a shady company would develop a legitimate computer software, which would go through the driver-signing requirements. Later on, the editor could covertly introduce a backdoor, either through new functionalities or by intentionally introducing a vulnerability."

Similarly, he adds, "HotPage (or DWAdsafe), posed as a security product to block ads, and so possesses interception functionalities. Here, the problem lies in the way the software can be configured and misused."

Microsoft, for its part, can only do so much. "I don’t think a bulletproof process exists," Dumont says. "A naive approach would be to do a background check on companies and verify that the advertised functionalities correspond to the actual functionalities through a security assessment. Microsoft could ask for a certain level of transparency regarding the intended purpose of the software and the required functionalities to achieve it. The more functionalities an editor needs, the more tests they should pass. But let’s face it, it’s a difficult and time-consuming task."

Users, then, cannot blindly trust even the programs Microsoft deems trustworthy. Instead, Dumont says, "I think using computer software from renowned companies is a start. Also, turn to open source software and companies with bug-bounty programs, who are transparent about their functionalities and have history sharing security advisories or vulnerability announcements. ... If possible and as a rule of thumb, companies and users should isolate programs and restrict their privileges as much as possible."