Story of a signed, vulnerable, ad-injecting driver

Malware analysis entails finding out risk actor TTPs, mapping infrastructure, analyzing novel strategies… And whereas most of those investigations construct on current analysis, generally they begin from a hunch, one thing that appears too easy. On the finish of 2023, we stumbled upon an installer named HotPage.exe that deploys a driver able to injecting code into distant processes, and two libraries able to intercepting and tampering with browsers’ community visitors. The malware can modify or substitute the contents of a requested web page, redirect the consumer to a different web page, or open a brand new web page in a brand new tab primarily based on sure situations.

The installer was detected by most safety merchandise as an adware part however what actually piqued our curiosity was the embedded driver signed by Microsoft. In response to its signature, it was developed by a Chinese language firm named 湖北盾网网络科技有限公司 (machine translation: Hubei Dunwang Community Know-how Co., Ltd), the lack of know-how about which was intriguing. The distribution technique continues to be unclear however in keeping with our analysis, this software program was marketed as an “Web café safety answer” aimed toward Chinese language-speaking people. It purports to enhance the online searching expertise by blocking adverts and malicious web sites, however the actuality is kind of completely different – it leverages its browser visitors interception and filtering capabilities to show game-related adverts. It additionally sends some details about the pc to the corporate’s server, more than likely to assemble set up statistics.

On high of its apparent mischievous conduct, this kernel part unintentionally leaves the door open for different threats to run code on the highest privilege degree out there within the Home windows working system: the SYSTEM account. On account of improper entry restrictions to this kernel part, any processes can talk with it and leverage its code injection functionality to focus on any non-protected processes.

We reported this driver to Microsoft on March 18^th, 2024 and adopted their coordinated vulnerability disclosure course of. Microsoft Safety Response Heart (MSRC) decided that that is not a vulnerability because the offending driver was faraway from the Home windows Server Catalog on Might 1^st, 2024. ESET applied sciences detect this risk as Win32/HotPage.A and Win32/HotPage.B.

Who’s 湖北盾网网络科技有限公司 ?

Throughout its execution, the HotPage malware installs a driver, however earlier than diving into the technical particulars of its internal workings, we wished to be taught extra concerning the code-signing signature of this driver. What first caught our consideration was the signing certificates’s proprietor, as illustrated in Determine 1.

For the reason that 64-bit model of Home windows 7, kernel-mode drivers have been required to be signed to be loaded by the working system. As beforehand detailed by Mandiant Intelligence, SentinelLabs, and G DATA groups, the signing course of is constructed on belief however there have been instances the place this was abused. It appears that evidently the Chinese language firm went via Microsoft’s driver code-signing requirements and managed to acquire an Prolonged Verification (EV) certificates as proven in Determine 2.

With a view to retrieve the corporate title related to this signature, the extraction of the signers’ attributes was mandatory. Determine 3 reveals the SpcSpOpusInfo attribute recognized by the item ID 1.3.6.1.4.1.311.2.1.12.

Utilizing the LIEF binary parser, it’s doable to extract the construction member programName that identifies the corporate behind this signature, as displayed in Determine 4.

We discovered a reference to this firm within the Windows Server Catalog, as proven in Determine 5. The corporate used varied product classes when submitting its drivers for certification. Primarily based on its title, it seems the corporate developed two community filtering packages: a netfilter part and the HotPage driver referred as adsafe or by its inside title KNewTalbeBase (Be aware the [Tt]albe typo, which additionally happens elsewhere within the HotPage code).

Investigating the corporate via serps didn’t yield many outcomes. In response to the corporate register dingtalk, we found that the corporate was created on January 6^th, 2022 and offered the e-mail deal with dwadsafe@mail[.]io. The enterprise scope consists of: technology-related actions corresponding to improvement, companies, consulting, and so forth., but in addition promoting actions. As translated in Determine 6, the principal shareholder is now Wuhan Yishun Baishun Tradition Media Co., Ltd, a really small firm that appears to be specialised in promoting and advertising.

From the Mental Property tab, we discovered that in April and Might 2022 the corporate utilized for the commerce title Protect Web Café Safety Protection and the web site dwadsafe[.]com was created on February 22^nd, 2022. The area now resolves to localhost (127.0.0.1) and is subsequently inaccessible. Nonetheless, a screenshot of the web site was taken on November 10^th, 2023 by a web crawler, as seen in Determine 7.

The HTTP physique of the URL https://www.dwadsafe[.]com/login/reg.html (SHA-1: 744FFC3D8ECE37898A0559B62CC9F814006A1218) was additionally captured by VirusTotal. The supply code comprises the outline 网吧主动防御云平台 (machine translation: Web café energetic protection cloud platform). This web page features a license settlement that particulars the aim of the software program, albeit with contradictions. Desk 1 lists some attention-grabbing bits of that data.

Desk 1. Translation of the related components of the license settlement

In response to the license settlement, the software program is certainly marketed as a safety answer for web cafés to dam adverts. Nonetheless, regardless of the corporate’s claims that DwAdsafe doesn’t have any interception functionality, our investigation revealed that the software program does have a somewhat intrusive one and comes with pre-written, unmodifiable guidelines.

Other than these bits of knowledge, the corporate behind this malicious part stays a thriller.

HotPage evaluation

On this part we describe how the completely different elements are put in and work together with one another to attain their objective: injecting adverts into the browser. Up to now, we haven’t came upon how the malware was distributed however we consider, with low confidence, that it may need been bundled with one other software program bundle or marketed as a safety product because of the degree of privileges wanted to put in the motive force. Just a few references promoting the product had been present in some boards in 2022; an instance is seen in Determine 8.

The installer drops the motive force on disk and begins a service to execute it. It decrypts its configuration file, which comprises an inventory of goal Chromium-based browsers and libraries. If such executables are discovered working or being loaded, the motive force tries to inject one of many listed libraries into the browser course of. After hooking network-based Home windows API capabilities, the injected library checks the URL being accessed and beneath sure situations, it shows one other web page to the consumer via various means.

The installer

The installer we analyzed (SHA-1: 941F0D2D4589FB8ADF224C8969F74633267B2561) is a UPX-compressed file that was uploaded to VirusTotal on 2023-08-26. Determine 9 supplies a high-level overview of the motive force set up.

The installer comprises the encrypted variations (single-byte XOR operation with the important thing 0xE3) of the motive force part, the libraries that can be injected into internet browser processes, and three JSON-formatted configuration recordsdata:

• chromedll comprises the names of the focused browser libraries to hook and the focused capabilities’ sample for hooking them,
• hotPage (unused) comprises the checklist of focused browsers, allowlists of command line parameters and web sites, and the homepage URL that might be used, and
• newtalbe comprises filtering guidelines, an API endpoint to ship primary details about the compromised pc, and one other one to handle configuration updates.

The malware begins by executing the CPUID instruction (see Hypervisor Discovery), to examine whether or not it’s working inside a virtualized setting. Then it checks if the motive force’s gadget filename .KNewTableBaseIo exists and if not, it decrypts the motive force and shops it in C:WindowsShieldNetWorkBusiness. Its title is a randomly generated 7-character string adopted by the .sys extension. A service is created with the file path of the saved driver, and the random string is used because the service title. For the reason that begin sort is about to SERVICE_DEMAND_START, the service must be explicitly began with the intention to load the motive force. Oddly, this adware doesn’t implement any persistence mechanisms, or at the least not on this model.

The installer proceeds to speak with and configure the motive force by way of its gadget filename utilizing I/O management codes within the following order:

1. 0x9C4013FC – ship the 32-bit hooking library that can be injected into goal internet browser processes.
2. 0x9C400FFC – ship the 64-bit hooking library that can be injected into goal internet browser processes.
3. 0x9C40173C – ship the chromedll configuration.

The installer retrieves the registry key related to the created service and checks to see if the values IP and port are current. These values are by no means set by this code so they’re presumably created by one other part. With out going into the small print of the community protocol, the distant server ought to serve an replace of the newtalbe configuration. The communication is encrypted with RC4, utilizing a key derived from the string ID:f~WdH+Ok?KD)r*sD4mk utilizing the Home windows BCryptGenerateSymmetricKey perform. Determine 10 reveals the content material of the configuration file.

Desk 2 describes the necessary values used from this file, listed within the order that they seem within the configuration file (Determine 10).

Desk 2. newtalbe configuration description

Utilizing the hostapi URL worth of this file, an HTTP GET request is remodeled TLS with a generic Person-Agent string. The acquired information is decrypted utilizing RC4 with the hostapikey worth; it comprises a dictionary of gaming-related hostnames with their corresponding resolved deal with.

As soon as these updates are finished, the installer sends the up to date newtalbe configuration to the motive force by issuing an I/O request with the management code 0x9C400BFC.

Lastly, the malware iterates over the checklist of endpoints offered by the JSON factor apiurl and for every one in every of them it creates a JSON-formatted string containing details about the compromised pc, encrypts it with RC4 utilizing the important thing Abc123!@#&XM derived by way of the Home windows API BcryptGenerateSymmetricKey, and sends the collected data to the distant server by way of an HTTP POST request. The collected data consists of the pc title, the community interface MAC deal with, the model of the working system, and the size of the display.

Injector driver

The motive force’s most important objective is to inject libraries into browser purposes and alter their execution stream to vary the URL being accessed or open a web page in a brand new tab. Two threads are created to deal with requests for opening a brand new tab and injecting libraries utilizing the publicly out there Blackbone mission. Moreover, process creation and image loading notification routines are set to watch newly created processes and executable pictures being loaded. The simplified logic of the motive force is illustrated in Determine 11.

For an unknown motive, the motive force begins by deleting its picture from the disk. Afterwards it creates a tool object named .KNewTableBaseIo and units its IRP_MJ_DEVICE_CONTROL routine to deal with the assorted I/O requests listed in Desk 3. The management codes (IOCTL) used for configuration or setting the injected libraries can solely be referred to as as soon as; subsequently the settings can’t be up to date. These particular management codes are protected by checking that the caller’s file path matches the common expression *ShieldNetWorkEnterpriseDwBusiness_*.

Desk 3. Listing of obtainable IOCTLs and their description

When dealing with the management codes 0x9C400BFC and 0x9C40173C, the motive force iterates over the loaded modules of all of the working processes. If one of many focused modules listed within the chromedll configuration is discovered, a request to inject a library into that course of is queued.

Lastly, the motive force ends its initialization by creating two threads and setting the notification routines talked about above.

It is very important word that the hotPage configuration isn’t set. Any mentions of this file are solely made to explain how it could be used in keeping with the motive force’s management stream. Primarily the hotPage configuration is used to redirect the consumer to a particular web page (or homepage) full of adverts when a focused browser is launched.

The model of the software program we analyzed relied solely on the chromedll and newtalbe configurations to attain its advert injection.

Library injection thread

This thread checks the queued injection requests, and for every of them, it attaches itself to the focused course of by way of KeStackAttachProcess, allocates chunks of reminiscence, and copies its shellcode. Utilizing the Blackbone library perform ZwCreateThreadEx, the motive force calls the shellcode, which implements its personal PE loader and calls the entry level of the injected library.

New tab thread

The second thread makes use of the identical logic; nevertheless, the injected shellcode is completely different. It calls the Home windows API perform CreateProcessW with the command line parameter being the method title of the focused course of concatenated with the URL that ought to be opened. The latter is made from the URL adopted by the sum of the idindex and the userid variables from the hotPage configuration. As an illustration, the configuration proven in Determine 12 would create the string https://www.hao774[.]com/?90386-00001. Since Chromium-based browsers create a brand new course of for every new tab, making a course of from the browser course of will successfully create a brand new tab.

Determine 12 reveals the content material of the hotPage configuration file.

This configuration file comprises the checklist of focused internet browsers and command line parameters that decide whether or not the method ought to be injected. The domains are both associated to gaming adverts or web café upkeep.

Course of creation notification routine

Primarily, this routine makes certain the homepage of the brand new internet browser occasion is redirected to a particular URL current within the hotPage configuration. This part describes how the motive force implements this characteristic even when it’s not used, since this model of the installer by no means sends this configuration to the motive force.

Relying on the next situations, the online browser course of can be marked as eligible for opening the URL within the hotPage configuration:

• that is the primary occasion of the browser and never a brand new tab being opened,
• the method’s file path matches one of many common expressions within the browser checklist within the hotPage configuration,
• the command line of the method doesn’t match any common expression within the wlist checklist of the hotPage configuration, and
• if the method’s command line consists of its personal file path, it should not match any common expressions within the ppwlist checklist of the hotPage configuration.

As detailed within the subsequent part, when the browser course of begins loading the primary executable pictures, a request to open a brand new tab is queued. Determine 13 and Determine 14, respectively, present the distinction between the reputable internet listing 2345[.]com and the ad-riddled web page exhibited to the consumer.

Picture loading notification routine

This routine primarily handles two sorts of situations. If the picture being loaded is within the chromedll checklist, an APC routine is queued that may load one of many hooking libraries by way of its personal PE loader.

In any other case, if the method was marked eligible for opening a brand new web page, the malware achieves this both by opening it in a brand new tab or within the present one. If the method filename matches one of many common expressions within the browser1 checklist of the hotPage configuration, a request to open a brand new tab is queued and can be dealt with by the suitable thread (word that the browser1 checklist factor was not current within the configuration file we retrieved). Within the different case, the web page can be opened within the tab being created by queuing a piece merchandise (by way of IoQueueWorkItemEx) that may modify the command line of the method being created. The latter attaches itself to the method, finds the export deal with of GetCommandLineA and GetCommandlineW contained in the kernelbase.dll library, and modifies the Unicode string saved in BaseAnsiCommandLine. The command line is changed with the method’s executable file path concatenated with the URL within the hotPage configuration. Determine 15 reveals a side-by-side comparability of the code accountable for discovering the command line buffer and the disassembly of the GetCommandLineA perform.

Injected library

The very first thing that the injected library does is to retrieve the hotPage and newtalbe configurations by querying the motive force. If the injected browser filename is 360Chrome, it deletes the registry key HKCUSoftware360chromeHomepage and patches the Preferences file (positioned beneath the browser’s default listing 360chromechromeUser DataDefaultPreferences) to make the homepage level to the URL worth of the hotPage configuration.

Utilizing the Microsoft Detours hooking library, the pattern hooks SetProcessMitigationPolicy to make it return 1 with the intention to stop safety insurance policies from being utilized to the method, thereby permitting code injection. Then getaddrinfo is hooked to drive the browser to resolve sure hostnames to particular IP addresses to make sure the redirection is made to the precise server in case the domains don’t exist anymore.

Hooking SSL_read and SSL_write

The malware hooks the SSL_read and SSL_write capabilities to permit the manipulation of the browser’s decrypted TLS visitors; it does so by looking for particular patterns contained in the loaded modules, since these capabilities usually are not exported. As an illustration, the chromewrite dictionary contained in the chromedll configuration comprises two sorts of patterns, sslcode and oldchrome, as seen in Determine 16. They’re, respectively, used for locating newer and older variations of the DoPayloadWrite perform. We examined and confirmed that the patterns match the Microsoft Edge library msedge.dll model 122.0.2365.80.

The mode worth is used to find out the model of the sample, both 32-bit or 64-bit; the code worth is the precise byte sample, and the offset is the gap from the beginning of the sample to the pointer to the SSL_write perform (see Determine 17).

As soon as SSL_write and SSL_read are discovered, they’re hooked utilizing the Detours library. For the previous, the malware inspects the information after which calls the unique perform, which encrypts and sends it. As for the latter, the injected library does the other with the intention to manipulate decrypted information. For each capabilities, the information is inspected by the code that respectively handles the AFD_SEND and AFD_RECV management codes within the perform hooking NtDeviceIoControlFile.

Hooking NtDeviceIoControlFile and inspecting incoming and outgoing information

The malicious library hooks the NtDeviceIoControlFile perform to deal with particular IOCTL codes as seen in Determine 18.

For the management code 0x12023 (AFD_SEND_DATAGRAM used when sending UDP packets), the malware cancels any DNS requests by returning STATUS_INVALID_PARAMETER if the distant port quantity is 53. This ensures that the online browser solely makes use of the hosts offered by the newtalbe configuration.

The routine that handles the management code 0x1201F (AFD_SEND) begins by extracting the URL and the Referrer header from the request. Primarily based on the URL matching sure values within the newtalbe and hotPage configurations, the malware performs assorted actions, as described in Desk 4. In some instances, the request is distributed however the response is modified within the routine dealing with the AFD_RECV management code by completely different redirection strategies defined afterwards.

Desk 4. Listing of actions carried out beneath sure situations when sending HTTP requests

For management code 0x12017 (AFD_RECV), the malware first retrieves the information acquired by the shopper and checks if the response was marked eligible for redirection. There are 4 sorts of redirections as described in Desk 5. The xxx string within the modified response is modified for the URL within the newtalbe configuration.

Desk 5. Redirection strategies

Determine 19 illustrates redirection technique 0 being utilized after navigating to a URL matching one of many blist URL patterns of the newtalbe configuration (www.5zy[.]cn). One other tab is opened and factors to the url laid out in the identical configuration.

Safety points and privilege escalation

When initializing its gadget object, the motive force doesn’t specify any entry management lists (ACLs) to limit who can talk with it; subsequently, anybody can ship I/O requests to it. As talked about beforehand, some I/O management codes require the requesting course of to be in a path matching the regex:

*ShieldNetWorkEnterpriseDwBusiness_*

That is clearly not enough to examine whether or not the speaking course of is without doubt one of the HotPage elements and might simply be bypassed by creating the required directories beneath a user-writable folder.

We got here up with two situations that will enable a consumer with the HotPage driver working on their system to run code because the NT AUTHORITYSystem account. We created a proof-of-concept (PoC) script in Python to attain each situations.

State of affairs #1: Privilege escalation by way of arbitrary DLL injection in arbitrary processes

On this first state of affairs, we assume that the motive force was loaded however that the chromedll configuration and the libraries to inject it weren’t set. In that case, it’s doable to create and set our personal library to inject. We created a small library that will merely log the PID of the injected course of, whether or not it’s working with administrator privileges, and the injected course of’s file path.

As seen within the screenshot of the log file in Determine 20, loads of processes had been injected with our library together with processes with administrator privileges.

It ought to be famous, nevertheless, that protected processes can’t be injected utilizing this system.

State of affairs #2: Privilege escalation by way of altering the command line of newly created processes

Within the first state of affairs, we relied on the truth that each the injected libraries and the chromedll configuration weren’t set, however, as seen within the installer evaluation, they’re each set as quickly as the motive force is initially loaded. Nonetheless, the hotPage configuration by no means will get set. Primarily based on the management stream evaluation, we devised a approach to leverage the motive force’s course of creation and picture loading notification routines’ logic to execute the identical executable once more however with a unique command line.

Beneath sure situations, as defined within the Process creation notification routine and Image loading notification routine sections, the motive force can open a brand new tab pointing to the URL current within the hotPage configuration. That is achieved both by changing the command line of the newly created browser course of or by duplicating the browser course of and altering its command line to the URL within the hotPage configuration. If we specify which course of will be duplicated and the brand new command line, we will obtain privilege escalation by focusing on a course of with SYSTEM privileges, as an example.

Conclusion

The evaluation of this somewhat generic-looking piece of malware has confirmed, as soon as once more, that adware builders are nonetheless prepared to go the additional mile to attain their targets. Not solely that, these have developed a kernel part with a big set of strategies to govern processes, however additionally they went via the necessities imposed by Microsoft to acquire a code-signing certificates for his or her driver part.

The HotPage driver reminds us that abusing Prolonged Verification certificates continues to be a factor. As loads of safety fashions are in some unspecified time in the future primarily based on belief; risk actors are inclined to play alongside the road between reputable and shady. Whether or not such software program is marketed as a safety answer or just bundled with different software program, the capabilities granted because of this belief expose customers to safety dangers.

As annoying as adware will be, the vulnerabilities launched by this malware go away the system open to much more harmful threats. An attacker with a non-privileged account might leverage the susceptible driver to acquire SYSTEM privileges or inject libraries into distant processes to trigger additional injury, all whereas utilizing a reputable and signed driver.

ESET applied sciences detect this risk – which Microsoft faraway from the Home windows Server Catalog on Might 1^st, 2024 – as Win32/HotPage.A and Win32/HotPage.B.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com

ESET Analysis provides non-public APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

A complete checklist of IoCs and samples will be present in our GitHub repository.

Recordsdata

Community

MITRE ATT&CK strategies

This desk was constructed utilizing version 15 of the MITRE ATT&CK framework.