ESET recently uncovered a dangerous advertising module known as Hotpage, which poses a serious threat to Windows computers. The module, masquerading as an advertising lock, allows cyber attackers to execute arbitrary code with elevated privileges.
Last year, the Hotpage.exe file surfaced on Virustotal. Despite being signed by Microsoft and seemingly developed by a legitimate company, antivirus programs identify it as advertising software. In a bizarre twist, rather than eliminating ads, Hotpage actually increases them by intercepting web traffic and redirecting content in the victims’ browsers.
While displaying advertising banners, Hotpage also gathers system information to send back to a remote server linked to the Chinese company Hubei Dunwang Network Technology Co., Ltd.
Hotpage’s installation process involves setting a driver that can inject code into remote processes, enabling attackers to execute malicious code with the highest privileges. Notably, this built-in driver is signed by Microsoft, allowing it to bypass Windows security measures. However, as of May 1, 2024, the driver was removed from Windows servers.
One of the most concerning aspects of Hotpage is the lack of access control for the driver, which means a cybercriminal with standard user rights can gain elevated privileges and run code on behalf of the system account NT Authority System.
Although the exact method of Hotpage distribution remains unknown, experts have discovered that it was promoted as a tool for Internet cafes, supposedly enhancing users’ online experience by blocking ads.