Security researchers have recently uncovered a concerning development in the cybersecurity landscape, where a seemingly harmless software installer named HotPage.exe has been utilized to deploy a Microsoft-signed driver capable of injecting malicious code into remote system processes and intercepting browser traffic. Initially perceived as adware, the true nature of HotPage came to light when its ability to manipulate web content and redirect users raised alarms within the security community.
The intrusive nature of HotPage becomes evident as it targets Chinese-speaking users with promises of enhancing their web browsing experience by blocking ads and malicious websites. However, in reality, the software engages in displaying game-related ads and gathering system information without the user’s consent. Researchers from ESET have identified the malicious activity of HotPage, which operates by leveraging a Microsoft-signed driver to conduct code injection into processes running on infected systems. This malware also installs two libraries designed to intercept and alter browser network traffic, enabling it to modify web content, redirect users, and open new tabs based on predefined conditions.
Moreover, the kernel-level access granted by the embedded driver provides an avenue for deploying additional malware payloads on compromised systems. By exploiting improper access restrictions, threat actors can potentially execute code with the highest privileges within the Windows operating system. Upon the discovery of these vulnerabilities, the Microsoft Security Response Center (MSRC) was promptly notified on March 18, 2024, leading to the removal of the driver from the Windows Server Catalog by May 1, 2024. The specific threats associated with the malware were identified as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.
Furthermore, the company behind the development of the malware, Hubei Dunwang Network Technology Co., Ltd., had acquired an Extended Verification certificate from Microsoft to sign the HotPage driver. Despite portraying itself as a provider of security solutions, the company’s actions contradict its own license agreement. While claiming that their product, DwAdsafe, did not possess interception capabilities, it was discovered that the software included intrusive monitoring and filtering functions.
Although the company’s website, dwadsafe[.]com, is no longer accessible, archived versions indicate that it was marketed as an “Internet cafe active defense cloud platform.” This discrepancy between the stated purpose and actual capabilities of the software raises concerns about user privacy and system security. By disguising itself as a helpful tool, HotPage exposes users to significant risks, highlighting a worrisome trend where malware is disguised as legitimate software with seemingly noble intentions.
The emergence of HotPage underscores the importance of rigorous vetting processes for driver signing, as threat actors continue to exploit trust in legitimate software channels for malicious purposes. As the cybersecurity landscape evolves, users and organizations alike must remain vigilant against such deceptive tactics and prioritize security measures to safeguard their systems and data.