Ad-injecting malware posing as DwAdsafe ad blocker uses Microsoft-signed driver

Ad-injecting malware posing as DwAdsafe ad blocker uses Microsoft-signed driver

ESET Research has discovered a sophisticated Chinese browser injection program: a signed, vulnerable ad-injecting driver from a mysterious Chinese company. The threat, which ESET has dubbed HotPage, comes bundled in an executable file that installs its own driver and injects libraries into Chromium-based browsers.

DwAdsafe Malware

Certified products of the Chinese company listed in the Windows Server catalog (Source: ESET)

This malware, which pretends to be a security product capable of blocking ads, actually delivers new ads. Additionally, the malware can replace the content of the current page, redirect the user, or simply open a new tab to a website filled with other ads. The malware introduces more vulnerabilities and leaves the system open to more serious threats. An attacker with an unprivileged account can take advantage of the vulnerable driver to gain system privileges or inject libraries into remote processes to cause further damage, all while using a legitimate, signed driver.

At the end of 2023, ESET researchers found an installer named “HotPage.exe” that deployed a driver capable of injecting code into remote processes, and two libraries capable of intercepting and manipulating browser network traffic. The installer was detected by most security products as an adware component. What really caught the attention of ESET researchers was the included driver signed by Microsoft. According to its signature, it was developed by a Chinese company called Hubei Dunwang Network Technology.

“The lack of information about the company was interesting. The distribution method is still unclear, but according to our research, this software was advertised as a security solution for internet cafes targeting Chinese-speaking individuals. It claims to improve the web browsing experience by blocking ads and malicious sites, but the reality is quite different – ​​it takes advantage of the browser’s traffic interception and data filtering capabilities to display gaming-related ads. It also sends some information about the computer to the company’s server, most likely to collect installation statistics,” explains the ESET researcher. Roman Dumontwho discovered the threat.

According to available information, the company’s scope of business includes technology-related activities such as development, services and consulting – but also advertising activities. The main shareholder is currently Wuhan Yishun Baishun Culture Media, a very small company that seems to specialize in advertising and marketing. Due to the level of privileges required to install the operating software, the malware has been bundled with other software packages or advertised as a security product.

Using notification calls in Windows, the driver component monitors which browsers or new tabs are opened. Under certain conditions, the adware uses various techniques to inject code into browser processes to load its network-tampering libraries. Using Microsoft’s Detours library, the injected code filters HTTP(S) requests and responses.

The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. In addition to its obvious mischievous behavior, this kernel component leaves the door open for other malware. Threats To run code with the highest privilege level available in the Windows operating system: the SYSTEM account. Due to improper restrictions on access to this kernel component, any process can communicate with it and take advantage of its ability to inject code to target any unprotected processes.

“HotPage Driver reminds us that the abuse of extended validation certificates is still around. Since many security models rely at some point on trust, threat actors tend to walk the fine line between legitimate and suspicious. Whether such software is advertised as a security solution or simply bundled with other software, the capabilities granted by this trust expose users to security risks,” adds Roman.

ESET reported this software to Microsoft in March 2024 and followed its coordinated vulnerability disclosure process. ESET technologies detect this threat – which Microsoft removed from the Windows Server catalog on May 1, 2024 – as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.

Leave a Reply

Your email address will not be published. Required fields are marked *