Today > | 4 High | 23 Medium vulnerabilities   -   You can now download lists of IOCs here!

HotPage: Story of a signed, vulnerable, ad-injecting driver

July 19, 2024, 4:03 p.m.

Description

This report investigates a sophisticated Chinese browser injector called HotPage, capable of injecting code into remote processes and intercepting network traffic to modify requested web pages, redirect users, or open new tabs based on rules. Despite claims of being a security solution, HotPage leverages vulnerabilities to perform malicious ad injection. The driver, signed by Microsoft, leaves systems open to privilege escalation attacks due to improper access controls. The analysis uncovers the malware's components, techniques, and the mysterious company behind it.

Date

Published: July 19, 2024, 3:37 p.m.

Created: July 19, 2024, 3:37 p.m.

Modified: July 19, 2024, 4:03 p.m.

Indicators

61.147.93.49

202.189.5.222

140.210.24.33

tmrr-s-f-9-9-1.vosdzxhbv.top

nnijs-f-9-9-1.nycpqx.top

Attack Patterns

HotPage

T1565.002

T1055.004

T1588.003

T1569.002

T1055.001

T1553.002

T1185

T1573.001

T1027.002

T1071.001

T1070.004

T1204.002

T1140

T1033