July 18, 2024 at 01:54PM
Researchers discovered a fake ad blocker in China targeting Internet cafés that conceals sophisticated malware. “HotPage.exe,” approved by Microsoft, appears as adware but can intercept web traffic, introduce more ads, and drop a system-level driver. ESET reported it to Microsoft, who removed it on May 1. The malware is developed by a company registered in 2022 and raises concerns about lax code signing processes.
Based on the meeting notes, the key takeaways are:
1. A malware called HotPage.exe was discovered in fake ad blocker marketed to Internet cafés in China.
2. The malware introduces more ads by intercepting web traffic, dropping a vulnerable system-level driver, and allowing attackers to execute malicious code with high privileges.
3. ESET reported HotPage to Microsoft, which was subsequently removed from the Windows Server Catalog.
4. The malware can be weaponized easily and hooks the Windows API function “SetProcessMitigationPolicy” to block security policies.
5. HotPage was developed by a company called Hubei Dunwang Network Technology Co. Ltd., which used Microsoft’s code signing process to appear legitimate.
6. Microsoft’s code signing process can be abused, and users should not blindly trust any program, even those deemed trustworthy by Microsoft.
These clear takeaways from the meeting notes provide a summary of the discussion and its important points.