Researchers in China have uncovered a dangerous new threat lurking in fake ad blockers targeting Internet cafes. The malware, known as HotPage.exe, poses a significant risk to users by not only failing to block ads as promised but also introducing more ads and enabling attackers to execute malicious code with the highest level of privileges.
HotPage.exe was initially identified on VirusTotal late last year and endorsed by Microsoft as a legitimate program. However, security experts quickly identified it as adware with far more dangerous capabilities. This discovery led ESET to report the malware to Microsoft on March 18, prompting the removal of HotPage.exe from the Windows Server Catalog on May 1.
The real danger of HotPage.exe lies in its ability to install a vulnerable system-level driver that allows attackers to manipulate web traffic, inject ads, and communicate with a remote command-and-control server. This driver operates at the kernel level, giving malicious actors unrestricted access to the infected system and the ability to weaponize HotPage.exe for their own nefarious purposes.
Despite its malicious behavior, HotPage.exe was developed by a seemingly legitimate company called Hubei Dunwang Network Technology Co. Ltd, which was registered in early 2022. The company’s website has since disappeared, leaving questions about how Microsoft’s code-signing process allowed such a threat to slip through undetected. As ESET malware researcher Romain Dumont explains, code signing is frequently abused by malicious actors who initially develop harmless software before adding backdoors or vulnerabilities.
Microsoft faces challenges in verifying the legitimacy of software developers and the integrity of their products, making it difficult to prevent malware from being signed and distributed to unsuspecting users. Users are advised to exercise caution when installing programs, even if they are from reputable sources, and to limit the privileges granted to software to mitigate the risk of exploitation.
In conclusion, the discovery of HotPage.exe serves as a reminder of the ongoing threat posed by malicious actors who exploit legitimate software to deliver malware. Users must remain vigilant and take proactive measures to protect their systems from potential threats, including restricting program privileges and relying on reputable software developers with transparent practices.