Ad-injecting malware posing as DwAdsafe ad blocker uses Microsoft-signed driver

2024-07-22 03:00

ESET Research has discovered a sophisticated Chinese browser injector: a signed, vulnerable, ad-injecting driver from a mysterious Chinese company.

An attacker with a non-privileged account could leverage the vulnerable driver to obtain SYSTEM privileges or inject libraries into remote processes to cause further damage, all while using a legitimate and signed driver.

At the end of 2023, ESET researchers stumbled upon an installer named "HotPage.exe" that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers' network traffic.

What really stood out to ESET researchers was the embedded driver signed by Microsoft.

Due to the level of privileges needed to install the driver, the malware might have been bundled with other software packages or advertised as a security product.

ESET reported this driver to Microsoft in March 2024 and followed their coordinated vulnerability disclosure process.

News URL

https://www.helpnetsecurity.com/2024/07/22/dwadsafe-ad-blocker-hotpage-malware/

#malware #microsoft