Microsoft officially approved this extremely dangerous door-opening malware

Category: Cybersecurity

HotPages, a malware disguised as a security product, was found to inject kernel-level infections, making devices vulnerable to further attacks. Initially marketed as an ad blocker named DWAdsafe for internet cafes in China, it was reported to Microsoft on March 18 and removed from the Windows Server Catalog on May 1. The malware intercepted web traffic, manipulated browser content, and collected user information, raising concerns about Microsoft's code-checking process that allowed such malicious software to be approved.

Keywords: malware, HotPages, Microsoft

Source: TweakTown

Update At: 7/19/2024

Related Sources

Live Updates: Global Tech Outage Grounds Flights and Hits Businesses

CrowdStrike experienced a global outage affecting various industries, leading to flight groundings by major U.S. airlines and disruptions at Sydney Airport. The incident follows a previous outage linked to Microsoft networks that impacted several airlines.

The New York Times

HotPage: Story of a signed, vulnerable, ad-injecting driver

Malware research uncovered HotPage.exe, an installer that deploys a driver for code injection into remote processes and intercepts browser traffic. Initially detected as adware, it was found to have a Microsoft-signed driver from a Chinese company, which misrepresents itself as an internet café security solution while actually injecting ads and collecting user data. The driver allows unauthorized code execution at the SYSTEM level, posing significant security risks. Despite being reported to Microsoft, the driver was removed from the Windows Server Catalog, but the malware remains detectable by ESET technologies.

WeLiveSecurity

Microsoft-Signed Chinese Adware Opens the Door to Kernel Privileges

Researchers discovered a fake ad blocker named HotPage.exe, which is actually a sophisticated kernel-level malware. Marketed as a security product, it introduces more ads by manipulating web traffic and drops a vulnerable driver that allows attackers to execute malicious code. Despite being signed by Microsoft, it poses significant security risks, including the ability to block security policies and inject code at the system level. The malware was developed by a questionable company, raising concerns about the laxity of Microsoft's code signing process.

Dark Reading

HotPage Malware Hijacks Browsers With Signed Microsoft Driver

Researchers have identified a new malware, HotPage.exe, which disguises itself as an ad-blocking installer but actually injects code into processes and intercepts browser traffic. It redirects users to ads and collects data, exploiting a signed driver from Microsoft linked to a dubious Chinese company. The malware's kernel component poses significant security risks, allowing other threats to execute high-level code. ESET has reported this vulnerability to Microsoft, leading to the removal of the driver from the Windows Server Catalog.

Infosecurity Magazine

Novel Chinese Browser Injector Lets Hackers Intercept Web Traffic

A novel Chinese browser injector, HotPage.exe, discovered by ESET, allows hackers to intercept browser traffic by injecting malicious code. Posing as an 'Internet cafe security solution', it deploys a Microsoft-signed driver that manipulates browser processes, redirects users to ad pages, and collects system information. Microsoft removed the vulnerable driver in May 2024 after its disclosure. The threat is classified as adware but poses significant risks, including privilege escalation and system access for unauthorized users.

CybersecurityNews

ESET: Chinese Adware Opens Windows Systems to More Threats

Malware disguised as an ad-blocking tool targeted at Chinese-speaking users collects system information and allows privilege escalation in Windows. Researchers from ESET discovered that the HotPage installer, signed by Microsoft, has capabilities beyond adware, including injecting code into browser processes and altering web traffic. The malware exploits trust in security models and highlights vulnerabilities in the software distribution process.

Security Boulevard

Researchers Discover Intrusive ‘HotPage’ Malware with Microsoft-Signed Driver

HotPage.exe, a software installer initially detected as adware, has been found to deploy a Microsoft-signed driver that injects code into system processes and intercepts browser traffic. Developed by Hubei Dunwang Network Technology Co., Ltd., the software falsely claims to enhance web browsing while actually displaying intrusive ads and collecting user data. The malware's kernel-level access allows for further exploitation, raising significant privacy and security concerns. The Microsoft Security Response Center was notified, leading to the driver’s removal from the Windows Server Catalog.

The Cyber Express

Crowdstrike Cyber outage- company publications

Crowdstrike has not addressed a significant issue across any of their platforms, including their blog and social media.

Medium

Statement on Windows Sensor Update

CrowdStrike is addressing a defect in a content update for Windows hosts, which does not affect Mac and Linux. A fix has been deployed, and customers are advised to check the support portal for updates and communicate through official channels.

CrowdStrike

Crowdstrike pares some losses after fix deployed; CRWD still down 12% (NASDAQ:CRWD)

Recent global outages affected various industries, including airports and banks, due to a defect in a Microsoft content update. CrowdStrike, a cybersecurity firm, acknowledged the issue, leading to a significant drop in its stock price despite clarifications that it was not a cyberattack. The situation highlights the vulnerabilities in interconnected systems and the potential for a shift towards protectionism in cybersecurity.

Seeking Alpha