#ESETresearch discovered a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which we dubbed HotPage, comes self-contained in an executable that installs its main driver and injects libraries into Chromium-based browsers. 1/7
Using Windows’ notification callbacks, the driver component monitors new browsers or tabs being opened. Under certain conditions, the adware will use various techniques to inject shellcode into browser processes to load network-tampering libraries. 2/7
Using Microsoft’s Detours hooking library, the injected code filters HTTP(S) requests and responses. The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. 3/7
According to the driver’s digital signature, this component was signed by Microsoft and developed by a Chinese company named 湖北盾网网络科技有限公司. The suspiciously small amount of information about that company was intriguing. 4/7
Company registers revealed a website that is inaccessible and an odd trade name: Shield Internet Café Security Defense. Posing as a security product, its license agreement is filled with contradictions regarding its interception capabilities. 5/7
The reality is different: instead of blocking ads as advertised, they are merely replaced, and even more are introduced. 6/7
But this threat also introduces security holes. Our analysis revealed two vulnerabilities that could be used to inject libraries into processes and run arbitrary executables as the SYSTEM account. To read a detailed analysis, head over to 7/7 welivesecurity.com/en/eset-resear…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.