Microsoft approved a fake ad blocker that injected malware at the kernel level

Cybercriminals were able to trick their way into Microsoft’s secure ecosystem using malicious software disguised as a normal application. This became known thanks to an investigation conducted by cybersecurity experts from Eset.

Image source: Copilot

Dubbed DWAdsafe and originally discovered in late 2023, the malware masquerades as a HotPage.exe installer that purports to improve website performance and block ads. However, in reality, DWAdsafe injects code into system processes and intercepts browser traffic, redirecting users to game-related advertisements.

As reported by TweakTown, citing a study by Eset antivirus software developers, the malware could change, replace or redirect web traffic and open new tabs, depending on certain conditions. It is interesting that the built-in HotPage.exe driver was approved and signed by Microsoft, although it belonged to the Chinese company Hubei Dunwang Network, about which almost nothing was known.

Image Source: Welivesecurity.com

The investigation also found that the software, advertised as an “internet café security solution,” targeted Chinese-speaking users and collected computer data for statistical purposes, which was then redirected to the DWAdsafe developers’ server.

The concern is that Microsoft’s review and approval process allowed a malicious application to enter the Windows Server directory. Romain Dumont, one of the Eset researchers, commented on the situation: “I don’t think there is a completely reliable process for checking all the companies’ data and whether the declared functions of the software correspond to the actual functions. Microsoft could do more thorough checks, but let’s face it: it’s a difficult and time-consuming task.”

Eset reported the malware to Microsoft on March 18, 2024. The software giant removed the problematic product from the Windows Server catalog on May 1, 2024. Eset has since labeled this threat as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.