July 18, 2024 at 09:45AM
Cybersecurity researchers have discovered an adware called HotPage, capable of running arbitrary code on Windows hosts. The malware intercepts and modifies browser traffic, displaying ads and redirecting webpages. It exfiltrates system information to a Chinese company’s server and exploits a Microsoft Windows policy loophole. HotPage’s kernel component is signed by Microsoft, potentially making it more dangerous.
The meeting notes discuss the discovery of a malware called HotPage, which masquerades as an ad blocker but can actually inject code into processes, redirect users, and access system information on Windows hosts. The malware incorporates a signed kernel driver that allows attackers to run arbitrary code with elevated permissions, and it has been distributed as a security solution for internet cafes. Additionally, the note highlights the exploitation of a Microsoft Windows policy loophole to forge signatures on kernel-mode drivers by native Chinese-speaking threat actors. This is a significant security concern and highlights the ongoing efforts of adware developers to evade detection and carry out malicious activities.