Imagine installing an ad blocker that ends up displaying even more adware. To make matters worse, this “ad blocker” also steals sensitive data from the device it’s installed on and even allows other malicious actors to execute code with elevated privileges.
This is exactly what HotPage, a new adware module recently discovered by ESET cybersecurity researchers, can apparently do. In its analysis, ESET stated that it first detected HotPage in late 2023 posing as an ad blocker, but during installation, it “deploys a driver capable of injecting code into remote processes and two libraries capable of intercepting and manipulating browsers’ network traffic.”
As a result, the malware can modify or completely replace the content of a page that the victim is trying to visit. It can redirect them to a completely different page or open a new page in a new tab, if necessary.
Display ads, collect data, deploy malware
The primary goal of HotPage is to display gaming-related ads, according to researchers. However, it can also obtain system information and send it to a remote server registered in the name of a Chinese company, Hubei Dunwang Network Technology Co., Ltd, suggesting that the campaign is of Chinese origin. Ultimately, the malware also allows unprivileged account holders to elevate their privileges and execute code as the NT AUTHORITYSystem account.
“This kernel component inadvertently leaves the door open for other threats to execute code at the highest privilege level available in the Windows operating system: the system account,” the researchers said in their paper. “Due to the undue access restrictions to this kernel component, any process can communicate with it and take advantage of its code injection capabilities to attack any unprotected process.”
ESET concluded its article by saying that HotPage looks pretty generic, but is actually quite sophisticated.
