RIG Exploit Toolkit Distributing CeidPageLock Malware to Hijack Browsers

A previously discovered browser hijacker malware dubbed as CeidPageLock has resurfaced again, in a bigger and better avatar, reveal researchers at Check Point security firm. This time around it is loaded with new features and is being distributed through the RIG Exploit kit. Trend Micro states that among all the exploit kits, the RIG is most active nowadays and has become a big threat.

According to the assessment of researchers at Check Point, the malware is exclusively targeting Chinese users. The improved version of the malware was discovered several months ago, while it was trying to exploit a victim’s browser.

The malware is now capable of performing monitoring of browser activities, replacing authentic websites with their fake replicas, and redirecting innocent users to fake web pages. It is a powerful web browser manipulator malware that turns homepage site to a Chinese web directory titled 2345.com (actually 111l2345cn). It is a genuine directory offering weather forecasts, and television listings.

The RIG Exploit kit has the ability to infect around 27,000 machines on a daily basis. With the addition of CeidPageLock, it can now use a variety of hijacking techniques to steal user data. It attempts to collect data such as the sites visited by a user and the time spent on these sites.

Check Point researchers claim that CeidPageLock has now become an advanced and sophisticated browser hijacker with RIG support. It is only targeting systems running MS Windows. To launch an attack, the dropper extracts a 32-bit kernel-mode driver, which is named houzi.sys. The kernel-mode driver is saved in the temporary directory of Windows.

The dropper is signed with Thawte Code Signing certificate, which has already expired but successfully extracts the driver. After it is executed, the details of the infected system are transmitted to the C&C server. Information like the mac address of the device and user ID is transmitted to the C&C server.

Using this information, threat actors are able to send a malicious homepage configuration of their choice. Cybercriminals have made the driver capable enough to evade detection at endpoints. Once it is able to communicate with the C&C server, hard-coded domains are sent for download. This process leads to encryption of the homepage configuration and the browser easily tampers.

The Afdfastiodevicecontrol method is used by the rootkit to evaluate every single outgoing HTTP message. If it matches with certain strings, the rootkit adds it to its list of redirected processes. The repercussions of this sort of attack are various and diverse. Such as, victims can be issued malicious payloads, account credentials can be stolen, and private data can be obtained. The information can be sold to other companies that may use the data to instigate their marketing campaigns.

The rootkit is also equipped with VMProtect, due to which malware analysis becomes difficult. The malware also averts the browser from accessing anti-virus programs.

Check Point claims that thousands of devices have been targeted with CeidPageLock in China while in the US only 40 cases of infection have been reported.

“At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill. CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor,” explained Check Point researchers.

Related Posts