Attackers deployed HotPage, a program that impersonates an ad blocker. Advertising programs which facilitates the stealthy delivery of a Microsoft-signed kernel driver allowing arbitrary code to be executed on targeted Windows systems, Hacker News Reports.
In addition to performing code injections into remote processes, the distributed kernel driver also allows system data to be leaked to a remote server connected to Hubei Dunwang Network Technology Co., Ltd., according to ESET analysis.
Furthermore, threat actors with non-privileged accounts can exploit the driver’s lack of access control lists to enable privilege escalation and NT AUTHORITY\System account code execution, according to the report. Such findings indicate the continued evolution of tactics used by adware developers, according to Romain Dumont, a researcher at ESET.
“Not only that, they developed a core component that contained a wide range of techniques to manipulate processes, but they also met Microsoft’s requirements for code signing certification for their driver component,” Dumont said.