Attackers have deployed the ad blocker-spoofing HotPage adware, which enables the stealthy delivery of a Microsoft-signed kernel driver that facilitates arbitrary code execution on targeted Windows systems, reports The Hacker News.
According to an ESET analysis, this kernel driver not only performs code injections into remote processes but also allows for system data exfiltration to a remote server linked to Hubei Dunwang Network Technology Co., Ltd.
The report also highlighted that threat actors with non-privileged accounts could exploit the driver’s lack of access control lists to escalate privileges and execute code as the NT AUTHORITY\System account. ESET researcher Romain Dumont noted that these findings indicate the continuous evolution of tactics employed by adware developers.
“They have developed a kernel component with a wide range of techniques to manipulate processes, and they also met Microsoft’s requirements to obtain a code-signing certificate for their driver component,” said Dumont.
+ There are no comments
Add yours