Researchers have observed a seemingly innocuous software installer named HotPage.exe being used to deploy a Microsoft-signed driver with the capability of injecting code into remote system processes and intercepting browser traffic.
While the malware had been initially detected as adware, its malware-like ability to modify web content and redirect users raised red flags among security researchers. The driver, signed by Microsoft, was developed by an obscure Chinese company called Hubei Dunwang Network Technology Co., Ltd.
Intrusive Nature of HotPage
Advertised towards Chinese-speaking users, the software claims to enhance web browsing by blocking ads and malicious sites. However, in reality HotPage abuses its functions to display game-related ads and collect system information.
At its core, researchers from ESET state that the malware functions through the use of a Microsoft-signed driver to perform code injection into processes running on the infected system. Along with this code execution, the malware installs two libraries designed to intercept and manipulate browser network traffic to affected systems. This allows the malware to modify web page content, redirect users, or even open new tabs based on predetermined conditions.
The kernel-level access granted by the embedded driver opens up pathways for the deployment of additional malware payloads on victim systems. Through the exploitation of improper access restrictions, the malware potentially allows threat actors to execute code with the highest available privileges within the Windows operating system.
Following the discovery of these vulnerabilities, the Microsoft Security Response Center (MSRC) was notified on March 18, 2024. By May 1, 2024, the driver was removed from the Windows Server Catalog, with researchers identifying the threats as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.
The Company Behind the Malware
The malware’s developers had obtained an Extended Verification certificate from Microsoft for use in signing the HotPage driver. The company, Hubei Dunwang Network Technology Co., Ltd., had been established in January 2022 and is now owned by Wuhan Yishun Baishun Culture Media Co., Ltd., a small advertising firm.
Despite claiming to offer security solutions, researchers believe the company’s product seems to contradict its own license agreement. While the company stated that DwAdsafe lacked interception capabilities, the software actually includes intrusive monitoring and filtering functions.
The company’s website, dwadsafe[.]com, is no longer accessible, but archived versions describe the product as an “Internet cafe active defense cloud platform.” Researchers note conflicts between the company’s license agreement and the software’s actual purpose and capabilities.
While masquerading as a helpful tool, HotPage poses significant risks to user privacy and system security. Its signed driver and deceptive marketing demonstrate a disturbing trend where malware programs are presented as legitimate software with well-intentioned purposes.
The campaign underscores the critical need for thorough vetting processes for driver signing as threat actors attempt to exploit trust in legitimate software channels.