Imagine installing an adblocker that ends up displaying even more adware. To make matters worse, this “adblocker” also steals sensitive data from the device it’s installed on, and even allows other malicious actors to execute code with elevated privileges.
That’s exactly what HotPage, a new adware module recently discovered by cybersecurity researchers ESET, can apparently do. In its analysis, ESET said it first detected HotPage in late 2023 as an ad blocker, but during installation it “implements a driver capable of injecting code into external processes, and two libraries capable of intercepting and manipulating browser network traffic.”
As a result, the malware can change or completely replace the content of a page the victim is trying to visit. It can redirect them to a completely different page or open a new page in a new tab, if necessary.
Display advertisements, collect data, install malware
The main purpose of HotPage is to display game-related advertisements, the researchers said. However, it can also grab system information and send it to a remote server registered to a Chinese company Hubei Dunwang Network Technology Co., Ltd, suggesting that the campaign is of Chinese origin. Finally, the malware also allows non-privileged account holders to escalate their privileges and execute code as the NT AUTHORITYSystem account.
“This kernel component inadvertently leaves the door open for other threats to execute code under the highest privilege level available in the Windows operating system: the system account,” the researchers wrote in their writeup. “Incorrect access restrictions to this kernel component allow all processes to interact with it and use its code injection capability to attack unprotected processes.”
ESET concluded its article by stating that HotPage looks generic enough, but is in fact quite sophisticated.