Threat Intelligence, Privileged access management

Microsoft-signed driver leveraged by HotPage adware

Share
Developer programmer using laptop with warning triangle sign for alert found error and maintenance concept

Attackers have deployed the ad blocker-spoofing HotPage adware that facilitates the stealthy delivery of a Microsoft-signed kernel driver enabling arbitrary code execution in targeted Windows systems, The Hacker News reports.

Aside from performing code injections into remote processes, the distributed kernel driver also allows system data exfiltration to a remote server connected to Hubei Dunwang Network Technology Co., Ltd, according to an ESET analysis. Moreover, threat actors with non-privileged accounts could exploit the driver's lack of access control lists to enable privilege escalation and NT AUTHORITYSystem account code execution, said the report. Such findings indicate the continuous evolution of tactics employed by adware developers, noted ESET researcher Romain Dumont. "Not only that, they have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component," said Dumont.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.