www.welivesecurity.com Open in urlscan Pro
2600:1408:ec00:14::17d7:e6  Public Scan

URL: https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/
Submission: On July 26 via api from DE — Scanned from US

Form analysis 3 forms found in the DOM

GET https://www.welivesecurity.com/en/search

<form data-v-ed6a42ae="" id="searchform" method="get" action="https://www.welivesecurity.com/en/search" autocomplete="off" role="search">
  <div data-v-ed6a42ae="" class="search-area"><input data-v-ed6a42ae="" name="term" class="searchbar-input form-control" type="text"
      placeholder="Search WeLiveSecurity"><a data-v-ed6a42ae="" class="search-icon-trigger"><span data-v-ed6a42ae="" class="search-icon"></span></a><!----><!----></div><!---->
</form>

GET https://www.welivesecurity.com/en/search

<form data-v-ed6a42ae="" id="searchform" method="get" action="https://www.welivesecurity.com/en/search" autocomplete="off" role="search">
  <div data-v-ed6a42ae="" class="search-area"><input data-v-ed6a42ae="" name="term" class="searchbar-input form-control" type="text"
      placeholder="Search WeLiveSecurity"><a data-v-ed6a42ae="" class="search-icon-trigger"><span data-v-ed6a42ae="" class="search-icon"></span></a><!----><!----></div><!---->
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter px-0" target="_blank" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Your Email Address" required="">
    <input type="checkbox" id="TOPIC" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <label for="TOPIC">Ukraine Crisis newsletter</label>
    <input type="checkbox" id="NEWSLETTER" name="NEWSLETTER" value="We Live Security">
    <label for="NEWSLETTER">Regular weekly newsletter</label>
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="0">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button type="submit" class="redirect-button primary">Subscribe</button>
  </div>
</form>

Text Content

Award-winning news, views, and insight from the ESET security community

English
Español
Deutsch
Português
Français

 * 
 * TIPS & ADVICE

   --------------------------------------------------------------------------------

 * BUSINESS SECURITY

   --------------------------------------------------------------------------------

 * ESET RESEARCH
   About ESET ResearchBlogpostsPodcastsWhite papersThreat reports

   --------------------------------------------------------------------------------

 * WeLiveScience

   --------------------------------------------------------------------------------

 * FEATURED
   Ukraine crisis – Digital security resource
   centerWeLiveProgressCOVID-19ResourcesVideos

   --------------------------------------------------------------------------------

 * TOPICS
   Digital SecurityScamsHow toPrivacyCybercrimeKids onlineSocial mediaInternet
   of ThingsMalwareRansomwareSecure codingMobile securityCritical
   infrastructureThreat research

   --------------------------------------------------------------------------------

 * ABOUT US
   About WeLiveSecurityOur ExpertsContact Us

   --------------------------------------------------------------------------------

 * English
   EspañolDeutschPortuguêsFrançais
 * 



Award-winning news, views, and insight from the ESET security community

ESET Research


HOTPAGE: STORY OF A SIGNED, VULNERABLE, AD-INJECTING DRIVER

A study of a sophisticated Chinese browser injector that leaves more doors open!

Romain Dumont

18 Jul 2024  •  , 23 min. read



Malware research involves studying threat actor TTPs, mapping infrastructure,
analyzing novel techniques… And while most of these investigations build on
existing research, sometimes they start from a hunch, something that looks too
simple. At the end of 2023, we stumbled upon an installer named HotPage.exe that
deploys a driver capable of injecting code into remote processes, and two
libraries capable of intercepting and tampering with browsers’ network traffic.
The malware can modify or replace the contents of a requested page, redirect the
user to another page, or open a new page in a new tab based on certain
conditions.

The installer was detected by most security products as an adware component but
what really piqued our interest was the embedded driver signed by Microsoft.
According to its signature, it was developed by a Chinese company named
湖北盾网网络科技有限公司 (machine translation: Hubei Dunwang Network Technology Co., Ltd),
the lack of information about which was intriguing. The distribution method is
still unclear but according to our research, this software was advertised as an
“Internet café security solution” aimed at Chinese-speaking individuals. It
purports to improve the web browsing experience by blocking ads and malicious
websites, but the reality is quite different – it leverages its browser traffic
interception and filtering capabilities to display game-related ads. It also
sends some information about the computer to the company’s server, most likely
to gather installation statistics.

On top of its obvious mischievous behavior, this kernel component
unintentionally leaves the door open for other threats to run code at the
highest privilege level available in the Windows operating system: the SYSTEM
account. Due to improper access restrictions to this kernel component, any
processes can communicate with it and leverage its code injection capability to
target any non-protected processes.

We reported this driver to Microsoft on March 18th, 2024 and followed their
coordinated vulnerability disclosure process. Microsoft Security Response Center
(MSRC) determined that this is no longer a vulnerability as the offending driver
was removed from the Windows Server Catalog on May 1st, 2024. ESET technologies
detect this threat as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.


WHO IS 湖北盾网网络科技有限公司 ?

During its execution, the HotPage malware installs a driver, but before diving
into the technical details of its inner workings, we wanted to learn more about
the code-signing signature of this driver. What first caught our attention was
the signing certificate’s owner, as illustrated in Figure 1.

Figure 1. Owner of HotPage driver’s digital signature

Since the 64-bit version of Windows 7, kernel-mode drivers have been required to
be signed to be loaded by the operating system. As previously detailed by
Mandiant Intelligence, SentinelLabs, and G DATA teams, the signing process is
built on trust but there have been cases where this was abused. It seems that
the Chinese company went through Microsoft’s driver code-signing requirements
and managed to obtain an Extended Verification (EV) certificate as shown in
Figure 2.

Figure 2. HotPage driver’s certificate Extended Verification and code-signing
attributes

In order to retrieve the company name associated with this signature, the
extraction of the signers’ attributes was necessary. Figure 3 shows the
SpcSpOpusInfo attribute identified by the object ID 1.3.6.1.4.1.311.2.1.12.

Figure 3. HotPage driver’s certificate SpcSpOpusInfo attribute

Using the LIEF binary parser, it is possible to extract the structure member
programName that identifies the company behind this signature, as displayed in
Figure 4.

Figure 4. Extraction of the company name from the HotPage driver’s certificate

We found a reference to this company in the Windows Server Catalog, as shown in
Figure 5. The company used various product categories when submitting its
drivers for certification. Based on its name, it appears the company developed
two network filtering programs: a netfilter component and the HotPage driver
referred as adsafe or by its internal name KNewTalbeBase (Note the [Tt]albe
typo, which also occurs elsewhere in the HotPage code).

Figure 5. The Chinese company’s certified products listed in the Windows Server
Catalog

Investigating the company through search engines didn’t yield many results.
According to the company register dingtalk, we discovered that the company was
created on January 6th, 2022 and provided the email address dwadsafe@mail[.]io.
The business scope includes: technology-related activities such as development,
services, consulting, etc., but also advertising activities. As translated in
Figure 6, the principal shareholder is now Wuhan Yishun Baishun Culture Media
Co., Ltd, a very small company that looks to be specialized in advertising and
marketing.

Figure 6. Translated executive and shareholder information about the company

From the Intellectual Property tab, we learned that in April and May 2022 the
company applied for the trade name Shield Internet Café Security Defense and the
website dwadsafe[.]com was created on February 22nd, 2022. The domain now
resolves to localhost (127.0.0.1) and is therefore inaccessible. However, a
screenshot of the website was taken on November 10th, 2023 by a web crawler, as
seen in Figure 7.

Figure 7. Screenshot of the dwadsafe[.]com webpage made by zhizhuyinqing.com
(watermarked in light blue)

The HTTP body of the URL https://www.dwadsafe[.]com/login/reg.html (SHA-1:
744FFC3D8ECE37898A0559B62CC9F814006A1218) was also captured by VirusTotal. The
source code contains the description 网吧主动防御云平台 (machine translation: Internet
café active defense cloud platform). This page includes a license agreement that
details the purpose of the software, albeit with contradictions. Table 1 lists
some interesting bits of that information.

Table 1. Translation of the relevant parts of the license agreement

Original text

Translated text (via Google Translate; emphasis ours)

6、DwAdsafe作为一款主动防御系统,自身并不具有任何拦截功能,单独运行本软件不会对现有任何软件或者程序有拦截、破坏、修改等操作,也不会拦截任何病毒程序。用户只有在编写相关过滤规则后,才会开始生效;用户可以根据自己的实际需要,选择是否使用这些规则.

6. As an active defense system, DwAdsafe does not have any interception
function. Running this software alone will not intercept, destroy or modify any
existing software or programs, nor will it intercept any virus programs. Only
after users write relevant filtering rules will they take effect; users can
choose whether to use these rules according to their actual needs.

7、DwAdsafe是应用户的强烈需求而开发的:目前,有部分软件和网站的广告对用户存在较大的骚扰和误导,严重影响用户的上网体验。应广大用户提出要求,本公司开发并提供网吧环境下的安全监视、监控、过滤等功能的软件——DwAdsafe。DwAdsafe中所有的过滤规则均由网友提供并共享,通过DwAdsafe发布。用户可以根据自己的实际需要,选择是否使用这些功能。

7. DwAdsafe was developed in response to the strong needs of users: At present,
the advertisements of some software and websites are quite harassing and
misleading to users, seriously affecting users’ online experience. In response
to requests from users, our company develops and provides software for security
monitoring, monitoring, filtering and other functions in Internet café
environments – DwAdsafe. All filtering rules in DwAdsafe are provided and shared
by netizens and published through DwAdsafe. Users can choose whether to use
these functions according to their actual needs.

8、DwAdsafe是主动防御型软件,故包括但不限于拦截、监视、删除、结束等功能。使用DwAdsafe会对计算机信息系统的部分或全部有对应的控制及处理权限,

8. DwAdsafe is an active defense software, so it includes but is not limited to
interception, monitoring, deletion, termination and other functions. Using
DwAdsafe will have corresponding control and processing authority over part or
all of the computer information system.

According to the license agreement, the software is indeed marketed as a
security solution for internet cafés to block ads. However, despite the
company’s claims that DwAdsafe does not have any interception capability, our
investigation revealed that the software does have a rather intrusive one and
comes with pre-written, unmodifiable rules.

Apart from these bits of information, the company behind this malicious
component remains a mystery.


HOTPAGE ANALYSIS

In this section we describe how the different components are installed and
interact with each other to achieve their purpose: injecting ads into the
browser. So far, we haven’t found out how the malware was distributed but we
believe, with low confidence, that it might have been bundled with another
software package or advertised as a security product due to the level of
privileges needed to install the driver. A few references advertising the
product were found in some forums in 2022; an example is seen in Figure 8.

Figure 8. Mention of dwadsafe[.]com in a forum dedicated to Internet café
maintenance

The installer drops the driver on disk and starts a service to execute it. It
decrypts its configuration file, which contains a list of target Chromium-based
browsers and libraries. If such executables are found running or being loaded,
the driver tries to inject one of the listed libraries into the browser process.
After hooking network-based Windows API functions, the injected library checks
the URL being accessed and under certain conditions, it displays another page to
the user through diverse means.


THE INSTALLER

The installer we analyzed (SHA-1: 941F0D2D4589FB8ADF224C8969F74633267B2561) is a
UPX-compressed file that was uploaded to VirusTotal on 2023-08-26. Figure 9
provides a high-level overview of the driver installation.

Figure 9. Overview of the installer’s workflow

The installer contains the encrypted versions (single-byte XOR operation with
the key 0xE3) of the driver component, the libraries that will be injected into
web browser processes, and three JSON-formatted configuration files:

 * chromedll contains the names of the targeted browser libraries to hook and
   the targeted functions’ pattern for hooking them,
 * hotPage (unused) contains the list of targeted browsers, allowlists of
   command line parameters and websites, and the homepage URL that could be
   used, and
 * newtalbe contains filtering rules, an API endpoint to send basic information
   about the compromised computer, and another one to manage configuration
   updates.

The malware starts by executing the CPUID instruction (see Hypervisor
Discovery), to check whether it’s running within a virtualized environment. Then
it checks if the driver’s device filename \\.\KNewTableBaseIo exists and if not,
it decrypts the driver and stores it in C:\Windows\ShieldNetWork\Business\. Its
name is a randomly generated 7-character string followed by the .sys extension.
A service is created with the file path of the stored driver, and the random
string is used as the service name. Since the start type is set to
SERVICE_DEMAND_START, the service needs to be explicitly started in order to
load the driver. Oddly, this adware doesn’t implement any persistence
mechanisms, or at least not in this version.

The installer proceeds to communicate with and configure the driver via its
device filename using I/O control codes in the following order:

 1. 0x9C4013FC – send the 32-bit hooking library that will be injected into
    target web browser processes.
 2. 0x9C400FFC – send the 64-bit hooking library that will be injected into
    target web browser processes.
 3. 0x9C40173C – send the chromedll configuration.

The installer retrieves the registry key associated with the created service and
checks to see if the values IP and port are present. These values are never set
by this code so they are presumably created by another component. Without going
into the details of the network protocol, the remote server should serve an
update of the newtalbe configuration. The communication is encrypted with RC4,
using a key derived from the string ID:f~WdH+K?KD)r*sD4mk using the Windows
BCryptGenerateSymmetricKey function. Figure 10 shows the content of the
configuration file.

Figure 10. newtalbe configuration

Table 2 describes the important values used from this file, listed in the order
that they appear in the configuration file (Figure 10).

Table 2. newtalbe configuration description

Value

Description

cnz

URI pattern matching URLs used to collect statistics when visiting the URL
specified by the url value.

url and dns

If one of the URLs listed in blist is being accessed, a new tab pointing to the
url value will be opened. The dns value is IP address of the domain.

hostapikey, hostapi,
hostlist

The URL value of hostapi is used to update the hostlist, a dictionary comprised
of game-related domains along with their corresponding IP addresses. The
hostapikey is the decryption key.

apiurl

List of endpoints to send information about the compromised computer to.

Wlist,
blist,
jclist,
hblist

Lists of patterns (URI, domains, file extensions, HTML code, and HTTP response
headers) to match to apply redirection rules (see the Hooking
NtDeviceIoControlFile and inspecting incoming and outgoing data section).

Using the hostapi URL value of this file, an HTTP GET request is made over TLS
with a generic User-Agent string. The received data is decrypted using RC4 with
the hostapikey value; it contains a dictionary of gaming-related hostnames with
their corresponding resolved address.

Once these updates are done, the installer sends the updated newtalbe
configuration to the driver by issuing an I/O request with the control code
0x9C400BFC.

Finally, the malware iterates over the list of endpoints provided by the JSON
element apiurl and for each one of them it creates a JSON-formatted string
containing information about the compromised computer, encrypts it with RC4
using the key Abc123!@#&XM derived via the Windows API
BcryptGenerateSymmetricKey, and sends the collected information to the remote
server via an HTTP POST request. The collected information includes the computer
name, the network interface MAC address, the version of the operating system,
and the dimensions of the screen.


INJECTOR DRIVER

The driver’s main purpose is to inject libraries into browser applications and
alter their execution flow to change the URL being accessed or open a page in a
new tab. Two threads are created to handle requests for opening a new tab and
injecting libraries using the publicly available Blackbone project.
Additionally, process creation and image loading notification routines are set
to monitor newly created processes and executable images being loaded. The
simplified logic of the driver is illustrated in Figure 11.

Figure 11. Simplified driver logic

For an unknown reason, the driver starts by deleting its image from the disk.
Afterwards it creates a device object named \\.\KNewTableBaseIo and sets its
IRP_MJ_DEVICE_CONTROL routine to handle the various I/O requests listed in Table
3. The control codes (IOCTL) used for configuration or setting the injected
libraries can only be called once; therefore the settings cannot be updated.
These special control codes are protected by checking that the caller’s file
path matches the regular expression *ShieldNetWork\\Business\\DwBusiness_*.

Table 3. List of available IOCTLs and their description

IOCTL

Action

0x9C400BFC

Parses the newtalbe configuration passed as an argument.

0x9C400FFC

Sets the 64-bit library to be injected.

0x9C4013FC

Sets the 32-bit library to be injected.

0x9C40173C

Parses the chromedll configuration passed as an argument.

0x9C401EC4

Receives a list of browser tabs (processes) to kill.

0x9C4027A8

Returns the hotPage configuration.

0x9C4027AC

Returns the size of the hotPage configuration.

0x9C4027E8

Returns the newtalbe configuration.

0x9C4027EC

Returns the size of the newtalbe configuration.

0x9C4027FC

Parses the hotPage configuration passed as an argument.

When handling the control codes 0x9C400BFC and 0x9C40173C, the driver iterates
over the loaded modules of all the running processes. If one of the targeted
modules listed in the chromedll configuration is found, a request to inject a
library into that process is queued.

Finally, the driver ends its initialization by creating two threads and setting
the notification routines mentioned above.

It is important to note that the hotPage configuration is never set. Any
mentions of this file are solely made to describe how it would be used according
to the driver’s control flow. Essentially the hotPage configuration is used to
redirect the user to a specific page (or homepage) filled with ads when a
targeted browser is launched.

The version of the software we analyzed relied only on the chromedll and
newtalbe configurations to achieve its ad injection.

LIBRARY INJECTION THREAD

This thread checks the queued injection requests, and for each of them, it
attaches itself to the targeted process via KeStackAttachProcess, allocates
chunks of memory, and copies its shellcode. Using the Blackbone library function
ZwCreateThreadEx, the driver calls the shellcode, which implements its own PE
loader and calls the entry point of the injected library.

NEW TAB THREAD

The second thread uses the same logic; however, the injected shellcode is
different. It calls the Windows API function CreateProcessW with the command
line parameter being the process name of the targeted process concatenated with
the URL that should be opened. The latter is made of the URL followed by the sum
of the idindex and the userid variables from the hotPage configuration. For
instance, the configuration shown in Figure 12 would create the string
https://www.hao774[.]com/?90386-00001. Since Chromium-based browsers create a
new process for each new tab, creating a process from the browser process will
effectively create a new tab.

Figure 12 shows the content of the hotPage configuration file.

Figure 12. The hotPage configuration

This configuration file contains the list of targeted web browsers and command
line parameters that determine whether the process should be injected. The
domain names are either related to gaming ads or internet café maintenance.

PROCESS CREATION NOTIFICATION ROUTINE

Essentially, this routine makes sure the homepage of the new web browser
instance is redirected to a specific URL present in the hotPage configuration.
This section describes how the driver implements this feature even if it’s not
used, since this version of the installer never sends this configuration to the
driver.

Depending on the following conditions, the web browser process will be marked as
eligible for opening the URL in the hotPage configuration:

 * this is the first instance of the browser and not a new tab being opened,
 * the process’s file path matches one of the regular expressions in the browser
   list in the hotPage configuration,
 * the command line of the process does not match any regular expression in the
   wlist list of the hotPage configuration, and
 * if the process’s command line includes its own file path, it must not match
   any regular expressions in the ppwlist list of the hotPage configuration.

As detailed in the next section, when the browser process starts loading the
first executable images, a request to open a new tab is queued. Figure 13 and
Figure 14, respectively, show the difference between the legitimate web
directory 2345[.]com and the ad-riddled page displayed to the user.

Figure 13. Legitimate main page of the web directory 2345[.]com Figure 14.
Ad-riddled page mimicking the homepage of 2345[.]com

IMAGE LOADING NOTIFICATION ROUTINE

This routine essentially handles two types of scenarios. If the image being
loaded is in the chromedll list, an APC routine is queued that will load one of
the hooking libraries via its own PE loader.

Otherwise, if the process was marked eligible for opening a new page, the
malware achieves this either by opening it in a new tab or in the current one.
If the process filename matches one of the regular expressions in the browser1
list of the hotPage configuration, a request to open a new tab is queued and
will be handled by the appropriate thread (note that the browser1 list element
was not present in the configuration file we retrieved). In the other case, the
page will be opened in the tab being created by queuing a work item (via
IoQueueWorkItemEx) that will modify the command line of the process being
created. The latter attaches itself to the process, finds the export address of
GetCommandLineA and GetCommandlineW inside the kernelbase.dll library, and
modifies the Unicode string stored in BaseAnsiCommandLine. The command line is
replaced with the process’s executable file path concatenated with the URL in
the hotPage configuration. Figure 15 shows a side-by-side comparison of the code
responsible for finding the command line buffer and the disassembly of the
GetCommandLineA function.

Figure 15. Function that finds the command line buffer (left) and disassembly of
the GetCommandlineA function (right)


INJECTED LIBRARY

The first thing that the injected library does is to retrieve the hotPage and
newtalbe configurations by querying the driver. If the injected browser filename
is 360Chrome, it deletes the registry key HKCU\Software\360chrome\Homepage and
patches the Preferences file (located under the browser’s default directory
360chrome\chrome\User Data\Default\Preferences) to make the homepage point to
the URL value of the hotPage configuration.

Using the Microsoft Detours hooking library, the sample hooks
SetProcessMitigationPolicy to make it return 1 in order to prevent security
policies from being applied to the process, thereby allowing code injection.
Then getaddrinfo is hooked to force the browser to resolve certain hostnames to
specific IP addresses to ensure the redirection is made to the right server in
case the domain names do not exist anymore.

HOOKING SSL_READ AND SSL_WRITE

The malware hooks the SSL_read and SSL_write functions to allow the manipulation
of the browser’s decrypted TLS traffic; it does so by searching for specific
patterns inside the loaded modules, since these functions are not exported. For
instance, the chromewrite dictionary inside the chromedll configuration contains
two types of patterns, sslcode and oldchrome, as seen in Figure 16. They are,
respectively, used for finding newer and older versions of the DoPayloadWrite
function. We tested and confirmed that the patterns match the Microsoft Edge
library msedge.dll version 122.0.2365.80.

Figure 16. Patterns used to find the DoPayloadWrite function

The mode value is used to determine the version of the pattern, either 32-bit or
64-bit; the code value is the actual byte pattern, and the offset is the
distance from the start of the pattern to the pointer to the SSL_write function
(see Figure 17).

Figure 17. Finding the pointer to the SSL_write function

Once SSL_write and SSL_read are found, they are hooked using the Detours
library. For the former, the malware inspects the data and then calls the
original function, which encrypts and sends it. As for the latter, the injected
library does the opposite in order to manipulate decrypted data. For both
functions, the data is inspected by the code that respectively handles the
AFD_SEND and AFD_RECV control codes in the function hooking
NtDeviceIoControlFile.


HOOKING NTDEVICEIOCONTROLFILE AND INSPECTING INCOMING AND OUTGOING DATA

The malicious library hooks the NtDeviceIoControlFile function to handle
specific IOCTL codes as seen in Figure 18.

Figure 18. Hook routine for NtDeviceIoControlFile API function

For the control code 0x12023 (AFD_SEND_DATAGRAM used when sending UDP packets),
the malware cancels any DNS requests by returning STATUS_INVALID_PARAMETER if
the remote port number is 53. This ensures that the web browser only uses the
hosts provided by the newtalbe configuration.

The routine that handles the control code 0x1201F (AFD_SEND) starts by
extracting the URL and the Referrer header from the request. Based on the URL
matching certain values in the newtalbe and hotPage configurations, the malware
performs assorted actions, as described in Table 4. In some cases, the request
is sent but the response is modified in the routine handling the AFD_RECV
control code by different redirection methods explained afterwards.

Table 4. List of actions performed under certain conditions when sending HTTP
requests

Configuration

Matching value

Action

newtalbe

cnz

Sends info about the compromised computer to the apiurl (similar to the end of
the installer).

hotPage

whomepage

Increases internal homepage hit counter.

hotPage

wjclist

Sends the data without any modifications.

newtalbe

url or wlist

Sends the data without any modifications.

newtalbe

blist

Sends the data but modifies the response using redirection method 0. The
response is opened in a new browser tab.

newtalbe

jclist

Sends the data but modifies the response using redirection method 1.

newtalbe

bcnzlist

Sends the data but modifies the response using redirection method 2.

hotPage

jclist

Sends the data but modifies the response using redirection method 3.

For control code 0x12017 (AFD_RECV), the malware first retrieves the data
received by the client and checks if the response was marked eligible for
redirection. There are four types of redirections as described in Table 5. The
xxx string in the modified response is changed for the URL in the newtalbe
configuration.

Table 5. Redirection methods

Redirection method

Modified response

Description

0

HTTP/1.1 302 Moved Temporarily

Server: nginx

Content-Type: text/html

Connection: close

Location: xxx

Redirect the user to another page using the HTTP code 302; an internal
redirection counter is incremented.

1

<html><head><meta charset="utf-8"><meta content="always"
name="referrer"></head><body scroll=no style="margin:0;padding:0"><iframe
src="xxx" width=100% height=100% frameborder=0></iframe></body></html>

Replace the content of the current page with an iframe pointing to a new URL.

2

location.replace("xxx")

Redirect the current page using the replace method of the Location interface.

3

HTTP/1.1 302 Moved Temporarily

Server: nginx

Content-Type: text/html

Connection: close

Location: xxx

Same as redirection 0 but the redirection counter is not incremented.

Figure 19 illustrates redirection method 0 being applied after navigating to a
URL matching one of the blist URL patterns of the newtalbe configuration
(www.5zy[.]cn). Another tab is opened and points to the url specified in the
same configuration.

Figure 19. Redirection method 0


SECURITY ISSUES AND PRIVILEGE ESCALATION

When initializing its device object, the driver does not specify any access
control lists (ACLs) to restrict who can communicate with it; therefore, anyone
can send I/O requests to it. As mentioned previously, some I/O control codes
require the requesting process to be in a path matching the regex:

*ShieldNetWork\\Business\\DwBusiness_*

This is clearly not sufficient to check whether the communicating process is one
of the HotPage components and can easily be bypassed by creating the required
directories under a user-writable folder.

We came up with two scenarios that would allow a user with the HotPage driver
running on their system to run code as the NT AUTHORITY\System account. We
created a proof-of-concept (PoC) script in Python to achieve both scenarios.

SCENARIO #1: PRIVILEGE ESCALATION VIA ARBITRARY DLL INJECTION IN ARBITRARY
PROCESSES

In this first scenario, we assume that the driver was loaded but that the
chromedll configuration and the libraries to inject it were not set. In that
case, it is possible to create and set our own library to inject. We created a
small library that would simply log the PID of the injected process, whether it
is running with administrator privileges, and the injected process’s file path.

As seen in the screenshot of the log file in Figure 20, a lot of processes were
injected with our library including processes with administrator privileges.

Figure 20. Log file of our injected library

It should be noted, however, that protected processes cannot be injected using
this technique.

SCENARIO #2: PRIVILEGE ESCALATION VIA CHANGING THE COMMAND LINE OF NEWLY CREATED
PROCESSES

In the first scenario, we relied on the fact that both the injected libraries
and the chromedll configuration were not set, but, as seen in the installer
analysis, they are both set as soon as the driver is initially loaded. However,
the hotPage configuration never gets set. Based on the control flow analysis, we
devised a way to leverage the driver’s process creation and image loading
notification routines’ logic to execute the same executable again but with a
different command line.

Under certain conditions, as explained in the Process creation notification
routine and Image loading notification routine sections, the driver can open a
new tab pointing to the URL present in the hotPage configuration. This is
achieved either by replacing the command line of the newly created browser
process or by duplicating the browser process and changing its command line to
the URL in the hotPage configuration. If we specify which process can be
duplicated and the new command line, we can achieve privilege escalation by
targeting a process with SYSTEM privileges, for instance.


CONCLUSION

The analysis of this rather generic-looking piece of malware has proven, once
again, that adware developers are still willing to go the extra mile to achieve
their goals. Not only that, these have developed a kernel component with a large
set of techniques to manipulate processes, but they also went through the
requirements imposed by Microsoft to obtain a code-signing certificate for their
driver component.

The HotPage driver reminds us that abusing Extended Verification certificates is
still a thing. As a lot of security models are at some point based on trust;
threat actors are inclined to play along the line between legitimate and shady.
Whether such software is advertised as a security solution or simply bundled
with other software, the capabilities granted thanks to this trust expose users
to security risks.

As annoying as adware can be, the vulnerabilities introduced by this malware
leave the system open to even more dangerous threats. An attacker with a
non-privileged account could leverage the vulnerable driver to obtain SYSTEM
privileges or inject libraries into remote processes to cause further damage,
all while using a legitimate and signed driver.

ESET technologies detect this threat – which Microsoft removed from the Windows
Server Catalog on May 1st, 2024 – as Win{32|64}/HotPage.A and
Win{32|64}/HotPage.B.

> For any inquiries about our research published on WeLiveSecurity, please
> contact us at threatintel@eset.com
> ESET Research offers private APT intelligence reports and data feeds. For any
> inquiries about this service, visit the ESET Threat Intelligence page.


IOCS

A comprehensive list of IoCs and samples can be found in our GitHub repository.


FILES

SHA-1

Filename

Detection

Description

0D1D298A3EBCA4ECE0BA
52828DD3B7676D884E7F

N/A

Win64/HotPage.B

HotPage driver.

DDD82422D418FC8E8748
BCC7BD2E2BC468124A6B

N/A

Win32/HotPage.B

32-bit HotPage hooking library.

D5D646B052E8B2572399
1CB4CAB51CB2F9D55906

N/A

Win64/HotPage.A

64-bit HotPage hooking library.

941F0D2D4589FB8ADF22
4C8969F74633267B2561

Hotpage.exe

Win32/HotPage.A

HotPage installer.


NETWORK

IP

Domain

Hosting provider

First seen

Details

61.147.93[.]49

nnijs-f-9-9-1.nycpqx[.]top

CHINATELECOM JiangSu YangZhou IDC.

2023-10-06

Server used to obtain a list of game-related domains with their corresponding IP
addresses.

140.210.24[.]33

tmrr-s-f-9-9-1.vosdzxhbv[.]top

CHINATELECOM JiangSu YangZhou IDC.

2023-10-06

Compromised users are redirected to this web server that hosts ad-riddled pages.

202.189.5[.]222

N/A

Shandong eshinton Network Technology Co., Ltd.

2023-10-06

Former DwAdsafe domain used to collect information about installations.


MITRE ATT&CK TECHNIQUES

This table was built using version 15 of the MITRE ATT&CK framework.

Tactic

ID

Name

Description

Resource Development

T1588.003

Obtain Capabilities: Code Signing Certificates

DwAdsafe’s driver is signed with a valid code-signing certificate.

Execution

T1204.002

User Execution: Malicious File

The installer component is an executable application.

T1569.002

System Services: Service Execution

DwAdsafe’s driver is loaded by creating a service.

Persistence

T1574.013

Hijack Execution Flow: KernelCallbackTable

DwAdsafe’s driver installs kernel callbacks to monitor loaded images and process
creation.

Defense Evasion

T1055.004

Process Injection: Asynchronous Procedure Call

DwAdsafe’s driver can use APC as an injection method.

T1553.002

Subvert Trust Controls: Code Signing

DwAdsafe’s driver is signed with a valid code-signing certificate.

T1140

Deobfuscate/Decode Files or Information

The embedded configuration files are encrypted.

T1055.001

Process Injection: Dynamic-link Library Injection

DwAdsafe can hijack web browser processes’ control flow by injecting DLLs.

T1027.009

Obfuscated Files or Information: Embedded Payloads

DwAdsafe’s driver and hooking libraries are embedded inside the installer.

T1070.004

Indicator Removal: File Deletion

DwAdsafe’s driver deletes itself from disk.

T1027.002

Obfuscated Files or Information: Software Packing

DwAdsafe’s installer is packed with UPX.

Discovery

T1033

System Owner/User Discovery

DwAdsafe’s installer and the hooking libraries collect the victim’s username.

Collection

T1185

Browser Session Hijacking

DwAdsafe’s hooking libraries can intercept and tamper with network traffic
inside web browser processes.

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

The HTTP protocol is used to send collected information about the user and
computer to the C&C.

T1573.001

Encrypted Channel: Symmetric Cryptography

The RC4 encryption algorithm is used for encrypting communication with the C&C.

Impact

T1565.002

Data Manipulation: Transmitted Data Manipulation

DwAdsafe’s hooking libraries can intercept and tamper with network traffic
inside web browser processes.



--------------------------------------------------------------------------------


LET US KEEP YOU
UP TO DATE

Sign up for our newsletters

Ukraine Crisis newsletter Regular weekly newsletter Subscribe

RELATED ARTICLES

--------------------------------------------------------------------------------

ESET Research

The tap-estry of threats targeting Hamster Kombat players



ESET Research

The tap-estry of threats targeting Hamster Kombat players



--------------------------------------------------------------------------------

ESET Research

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android



ESET Research

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android



--------------------------------------------------------------------------------

ESET Research, Threat Reports

ESET Threat Report H1 2024



ESET Research, Threat Reports

ESET Threat Report H1 2024




SIMILAR ARTICLES

ESET research

Signed kernel drivers – Unguarded gateway to Windows’ core



--------------------------------------------------------------------------------

ESET research

Certificates stolen from Taiwanese tech-companies misused in Plead malware
campaign



--------------------------------------------------------------------------------

ESET research

Wajam: From start-up to massively-spread adware



--------------------------------------------------------------------------------


SHARE ARTICLE





DISCUSSION



Award-winning news, views, and insight from the ESET security community

About us ESET Contact us Privacy Policy Legal Information Manage Cookies RSS
Feed

Copyright © ESET, All Rights Reserved
Your account, your cookies choice
We and our partners use cookies to give you the best optimized online
experience, analyze our website traffic, and serve you with personalized ads.
You can agree to the collection of all cookies by clicking "Accept all and
close" or adjust your cookie settings by clicking "Manage cookies". You also
have the right to withdraw your consent to cookies anytime. For more
information, please see our Cookie Policy.
Accept all and close
Manage cookies
Essential cookies
These first-party cookies are necessary for the functioning and security of our
website and the services you require. They are usually set in response to your
actions to enable the use of certain functionality, such as remembering your
cookie preferences, logging in, or holding items in your cart. You can´t opt out
of these cookies, and blocking them via a browser may affect site functionality.
Basic Analytical Cookies
These first-party cookies enable us to measure the number of visitors/users of
our website and create aggregated usage and performance statistics with the help
of our trusted partners. We use them to get the basic insight into our website
traffic and our campaign performance and to solve bugs on our website.
Advanced Analytical Cookies
These first or third-party cookies help us understand how you interact with our
website and each offered service by enriching our datasets with data from
third-party tools. We use these cookies to improve our website, services, and
user experience, find and solve bugs or other problems with them, and evaluate
our campaigns´ effectiveness.
Marketing cookies
These third-party cookies allow our marketing partners to track some of your
activities on our website (for example, when you download or buy our product) to
learn about your interests and needs and to show you more relevant targeted ads.
Accept and close
Back