HotPage: Story of a signed, vulnerable, ad-injecting driver

July 19, 2024, 4:03 p.m.

Description

This report investigates a sophisticated Chinese browser injector called HotPage, capable of injecting code into remote processes and intercepting network traffic to modify requested web pages, redirect users, or open new tabs based on rules. Despite claims of being a security solution, HotPage leverages vulnerabilities to perform malicious ad injection. The driver, signed by Microsoft, leaves systems open to privilege escalation attacks due to improper access controls. The analysis uncovers the malware's components, techniques, and the mysterious company behind it.

External References

https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/
https://otx.alienvault.com/pulse/669a882191ab2c8f6e54f76a
Tags
2024-07-19
hotpage
sys driver

Date

  • Created: July 19, 2024, 3:37 p.m.
  • Published: July 19, 2024, 3:37 p.m.
  • Modified: July 19, 2024, 4:03 p.m.

Indicators

  • 61.147.93.49
  • 202.189.5.222
  • 140.210.24.33
  • tmrr-s-f-9-9-1.vosdzxhbv.top
  • nnijs-f-9-9-1.nycpqx.top
Download all indicators here!

Attack Patterns

  • HotPage