Novel Chinese Browser Injector Lets Hackers Intercept Web Traffic

Hackers exploit browser injectors to manipulate web content, steal sensitive information, and hijack user sessions.

By injecting malicious code into a user’s browser, they can facilitate a multitude of illicit activities. In addition, they will do so by leveraging the user’s trust in their browser.

Cybersecurity researchers at ESET recently identified a novel Chinese browser injector that enables hackers to intercept traffic.

Novel Chinese Browser Injector

HotPage.exe, discovered in late 2023, is a malicious installer deploying a Microsoft-signed driver and libraries that intercept browser traffic. 

Developed by Hubei Dunwang Network Technology Co., Ltd., it poses as an “Internet cafe security solution” but injects game-related ads and collects system information.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The driver, signed with an Extended Verification certificate, allows code injection into any non-protected process with SYSTEM privileges due to improper access restrictions. 

Distributed via unknown means, possibly bundled software, it targets Chromium-based browsers. 

The installer uses encrypted configurations and communicates with remote servers for updates and data exfiltration. 

Microsoft removed the vulnerable driver on May 1, 2024, following disclosure on March 18. ESET detects this threat as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.

Injecting libraries into browsers is done by the HotPage driver, which helps edit URLs and open new tabs. For injection, it uses Blackbone to monitor different processes as well as responses in .\KNewTableBaseIo.

The code injected into processes is targeted modules that redirect users to ad pages while hooking SSL_read/write for traffic manipulation purposes. This driver can potentially lead to privilege escalation without appropriate access controls, reads the ESET report.

There are two exploit scenarios that involve arbitrary DLL injection into processes, and altering command lines of new processes may both result in the execution of code with SYSTEM privileges.

This includes encrypted configurations (chromedll, hotPage, newtalbe) used for targeting browsers, defining rules of injections, and managing advertising content.

The driver also utilizes different kinds of redirections that can break any browser’s security policies.

HotPage adware driver shows some advanced techniques, for instance, a kernel component for process manipulation and a Microsoft-issued code-signing certificate.

This makes it difficult to differentiate between the legitimate and fraudulent certificates. HotPage is classified as an adware but its flaws allow users with no administration privilege to gain system access or inject DLLs into remote processes.

On May 1st,2024 Microsoft pulled HotPage out of Windows Server Catalog. Consequently, ESET classifies it as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B reveals how an innocuous application can be exploited to endanger essential systems.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.