Threat Research

HotPage: Story of a signed, vulnerable, ad-injecting driver

ESET-welivesecurity

HotPage is a signed Windows kernel driver/adware component that injects code into browser processes to display ads and redirect users by intercepting and tampering with web traffic. Researchers trace the driver’s code-signing to a Chinese company (Hubei Dunwang Network Technology Co., Ltd.) and document how its capabilities can enable privilege escalation and broader system impact, including its removal from the Windows Server Catalog in 2024. #HotPage #DwAdsafe #HubeiDunwang #CodeSigning #MicrosoftEV #WindowsServerCatalog

Keypoints

  • HotPage is delivered as an installer that drops a kernel driver and two libraries designed to inject into browser processes.
  • The driver is signed with a valid code-signing certificate (Extended Verification) from a Chinese vendor, highlighting trust-based abuse of signing.
  • The malware intercepts and filters browser network traffic to modify pages, redirect to other URLs, or open new tabs under certain conditions.
  • Configurations are encrypted/obfuscated and loaded from embedded JSON-like files (chromedll, hotPage, newtalbe) to control injection and redirection behavior.
  • Privilege-escalation risks exist: the kernel component lacks proper access controls, enabling arbitrary process injection and potentially SYSTEM-level execution.
  • Microsoft removed the driver from its Windows Server Catalog in May 2024, but ESET detects it as Win32/HotPage.A and Win32/HotPage.B.

MITRE Techniques

  • [T1588.003] Obtain Capabilities: Code Signing Certificates – “DwAdsafe’s driver is signed with a valid code-signing certificate.”
  • [T1204.002] User Execution: Malicious File – “The installer component is an executable application.”
  • [T1569.002] System Services: Service Execution – “DwAdsafe’s driver is loaded by creating a service.”
  • [T1574.013] Hijack Execution Flow: KernelCallbackTable – “DwAdsafe’s driver installs kernel callbacks to monitor loaded images and process creation.”
  • [T1055.004] Process Injection: Asynchronous Procedure Call – “DwAdsafe’s driver can use APC as an injection method.”
  • [T1553.002] Subvert Trust Controls: Code Signing – “DwAdsafe’s driver is signed with a valid code-signing certificate.”
  • [T1140] Deobfuscate/Decode Files or Information – “The embedded configuration files are encrypted.”
  • [T1055.001] Process Injection: Dynamic-link Library Injection – “DwAdsafe can hijack web browser processes’ control flow by injecting DLLs.”
  • [T1027.009] Obfuscated Files or Information: Embedded Payloads – “DwAdsafe’s driver and hooking libraries are embedded inside the installer.”
  • [T1070.004] Indicator Removal: File Deletion – “DwAdsafe’s driver deletes itself from disk.”
  • [T1027.002] Obfuscated Files or Information: Software Packing – “DwAdsafe’s installer is packed with UPX.”
  • [T1033] System Owner/User Discovery – “DwAdsafe’s installer and the hooking libraries collect the victim’s username.”
  • [T1185] Browser Session Hijacking – “DwAdsafe’s hooking libraries can intercept and tamper with network traffic inside web browser processes.”
  • [T1071.001] Application Layer Protocol: Web Protocols – “The HTTP protocol is used to send collected information about the user and computer to the C&C.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – “The RC4 encryption algorithm is used for encrypting communication with the C&C.”
  • [T1565.002] Data Manipulation: Transmitted Data Manipulation – “DwAdsafe’s hooking libraries can intercept and tamper with network traffic inside web browser processes.”
  • [T1033] System Owner/User Discovery – “DwAdsafe’s installer and the hooking libraries collect the victim’s username.”
  • [T1185] Browser Session Hijacking – “DwAdsafe’s hooking libraries can intercept and tamper with network traffic inside web browser processes.”
  • [T1071.001] Application Layer Protocol: Web Protocols – “The HTTP protocol is used to send collected information about the user and computer to the C&C.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – “The RC4 encryption algorithm is used for encrypting communication with the C&C.”
  • [T1565.002] Data Manipulation: Transmitted Data Manipulation – “DwAdsafe’s hooking libraries can intercept and tamper with network traffic inside web browser processes.”

Indicators of Compromise

  • [SHA-1] Files – 0D1D298A3EBCA4ECE0BA, 52828DD3B7676D884E7F
  • [SHA-1] Files – DDD82422D418FC8E8748, BCC7BD2E2BC468124A6B
  • [SHA-1] Files – D5D646B052E8B2572399, 1CB4CAB51CB2F9D55906
  • [SHA-1] Files – 941F0D2D4589FB8ADF22, 4C8969F74633267B2561 (HotPage installer)
  • [Filename] HotPage.exe – HotPage installer
  • [IP] 61.147.93.49 – nnijs-f-9-9-1.nycpqx.top (server hosting game-domain list)
  • [IP] 140.210.24.33 – tmrr-s-f-9-9-1.vosdzxhbv.top (redirect target host)
  • [IP] 202.189.5.222 – N/A (former DwAdsafe domain used to collect info)
  • [Domain] nnijs-f-9-9-1.nycpqx.top – hosting command/redirect data
  • [Domain] tmrr-s-f-9-9-1.vosdzxhbv.top – ad server domain for redirects

Read more: https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint