Attackers have deployed the ad blocker-spoofing HotPage adware that facilitates the stealthy delivery of a Microsoft-signed kernel driver enabling arbitrary code execution in targeted Windows systems, The Hacker News reports.
Aside from performing code injections into remote processes, the distributed kernel driver also allows system data exfiltration to a remote server connected to Hubei Dunwang Network Technology Co., Ltd, according to an ESET analysis. Moreover, threat actors with non-privileged accounts could exploit the driver's lack of access control lists to enable privilege escalation and NT AUTHORITYSystem account code execution, said the report. Such findings indicate the continuous evolution of tactics employed by adware developers, noted ESET researcher Romain Dumont. "Not only that, they have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component," said Dumont.