Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges


An official stamp of approval might give the impression that a purported HotPage adtech tool is not, in fact, a dangerous kernel-level malware — but thats just subterfuge.



Researchers have stumbled upon a fake ad blocker marketed to Internet cafés in China that, in fact, conceals sophisticated, multifaceted, kernel-level malware.
HotPage.exe, present on VirusTotal since at least late last year, was approved and signed by Microsoft and developed by what seemed to be a real corporation. Still, security products flag it as adware, and, in truth, it is even worse than that.
Instead of removing ads, it introduces many more of them by intercepting web traffic and redirecting and manipulating content in victims browsers. Meanwhile, it drops a vulnerable system-level driver that could allow any attacker wandering by to execute malicious code with the highest possible privileges.
According to its new report
, ESET reported HotPage to Microsoft on March 18. Microsoft removed it from the Windows Server Catalog on May 1.
Its unclear as yet how HotPage is delivered to victims. Its product documentation indicates that its marketed as a security product, which makes sense, seeing as it requires significant privileges to drop its vulnerable driver to the disk.
That driver is the source of all kinds of trouble. It injects libraries into targeted browser applications, and hooks network-based Windows API functions in order to intercept and modify browser activity, redirecting or opening new ad-stuffed web pages on the victims screen. It connects with a command-and-control (C2) server to send back information about the victim, and retrieve relevant data for the attack.
Worse, though, is that this kernel-mode component lacks proper access restrictions, in effect allowing any running process to communicate with it. Its not clear whether this was designed intentionally or not, but either way, the result is the same: Any attacker could weaponize HotPage for their own purposes.
Its worth noting, then, how HotPage hooks the Windows API function SetProcessMitigationPolicy, which is used for applying security policies to processes. In so doing, the malware blocks any security policies that might otherwise be applied to it, enabling arbitrary code injection at the system level.
According to its official signature, HotPage was developed by Hubei Dunwang Network Technology Co. Ltd. The company was first registered on Jan. 6, 2022, with the stated purpose of providing technology-related services, including development, consulting, and advertising. Its website — a barebones form with three fields and a QR code — is no longer live.
How could Microsofts code signing process be so lax as to allow through such a shady company and its blatant malware? Dark Reading reached out to Microsoft for comment on this point, but the reality is that
code signing is regularly abused
in
any number of ways
.
In a rather simple scenario, explains Romain Dumont, malware researcher for ESET, a shady company would develop a legitimate computer software, which would go through the driver-signing requirements. Later on, the editor could covertly introduce a backdoor, either through new functionalities or by intentionally introducing a vulnerability.
Similarly, he adds, HotPage (or DWAdsafe), posed as a security product to block ads, and so possesses interception functionalities. Here, the problem lies in the way the software can be configured and misused.
Microsoft, for its part, can only do so much. I don’t think a bulletproof process exists, Dumont says. A naive approach would be to do a background check on companies and verify that the advertised functionalities correspond to the actual functionalities through a security assessment. Microsoft could ask for a certain level of transparency regarding the intended purpose of the software and the required functionalities to achieve it. The more functionalities an editor needs, the more tests they should pass. But let’s face it, it’s a
difficult and time-consuming task
.
Users, then, cannot blindly trust even the programs Microsoft deems trustworthy. Instead, Dumont says, I think using computer software from renowned companies is a start. Also, turn to open source software and companies with bug-bounty programs, who are transparent about their functionalities and have history sharing security advisories or vulnerability announcements. ... If possible and as a rule of thumb, companies and users should isolate programs and restrict their privileges as much as possible.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges