HotPage: Story of a signed, vulnerable, ad-injecting driver
July 19, 2024, 4:03 p.m.
Tags
External References
Description
This report investigates a sophisticated Chinese browser injector called HotPage, capable of injecting code into remote processes and intercepting network traffic to modify requested web pages, redirect users, or open new tabs based on rules. Despite claims of being a security solution, HotPage leverages vulnerabilities to perform malicious ad injection. The driver, signed by Microsoft, leaves systems open to privilege escalation attacks due to improper access controls. The analysis uncovers the malware's components, techniques, and the mysterious company behind it.
Date
Published: July 19, 2024, 3:37 p.m.
Created: July 19, 2024, 3:37 p.m.
Modified: July 19, 2024, 4:03 p.m.
Indicators
61.147.93.49
202.189.5.222
140.210.24.33
tmrr-s-f-9-9-1.vosdzxhbv.top
nnijs-f-9-9-1.nycpqx.top
Attack Patterns
HotPage
T1565.002
T1055.004
T1588.003
T1569.002
T1055.001
T1553.002
T1185
T1573.001
T1027.002
T1071.001
T1070.004
T1204.002
T1140
T1033