Security News > 2024 > July > Ad-injecting malware posing as DwAdsafe ad blocker uses Microsoft-signed driver
ESET Research has discovered a sophisticated Chinese browser injector: a signed, vulnerable, ad-injecting driver from a mysterious Chinese company.
An attacker with a non-privileged account could leverage the vulnerable driver to obtain SYSTEM privileges or inject libraries into remote processes to cause further damage, all while using a legitimate and signed driver.
At the end of 2023, ESET researchers stumbled upon an installer named "HotPage.exe" that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers' network traffic.
What really stood out to ESET researchers was the embedded driver signed by Microsoft.
Due to the level of privileges needed to install the driver, the malware might have been bundled with other software packages or advertised as a security product.
ESET reported this driver to Microsoft in March 2024 and followed their coordinated vulnerability disclosure process.
News URL
https://www.helpnetsecurity.com/2024/07/22/dwadsafe-ad-blocker-hotpage-malware/
Related news
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)