Meet the malware which hijacks your browser and redirects you to fake pages

Source: Vsoftsystems, 17/09/2018

The malware is currently being distributed through the RIG exploit kit.
The RIG exploit kit, which at its peak infected an average of 27,000
machines per day, has been grafted with a new tool designed to hijack
browsing sessions.
The malware in question, a rootkit called CEIDPageLock, has been
distributed through the exploit kit in recent weeks.
According to researchers from Check Point, the rootkit was first
discovered in the wild several months ago.
CEIDPageLock was detected when it attempted to tamper with a victim`s
browser. The malware was attempting to turn their homepage into
2345.com, a legitimate Chinese directory for weather forecasts, TV
listings, and more.
The researchers say that CEIDPageLock is sophisticated for a browser
hijacker and now a bolt-on for RIG has received `noticeable` improvements.
Among the new additions is functionality which permits user browsing
activities to be monitored, alongside the power to change a number of
websites with fake home pages.
The malware targets Microsoft Windows systems. The dropper extracts a
32-bit kernel-mode driver which is saved in the Windows temporary
directory with the name `houzi.sys.` While signed, the certificate has
now been revoked by the issuer.
When the driver executes, hidden amongst standard drivers during
setup, the dropper then sends the victim PC`s mac address and user ID
to a malicious domain controlled by a command-and-control (C&C)
server. This information is then used when a victim begins browsing in
order to download the desired malicious homepage configuration.
If victims are redirected from legitimate services to fraudulent ones,
this can lead to threat actors obtaining account credentials, victims
being issued malicious payloads, as well as the gathering of data
without consent.
`They then either use the information themselves to target their ad
campaigns or sell it to other companies that use the data to focus
their marketing content,` the team says.
The latest version of the rootkit is also packed with VMProtect, which
Check Point says makes an analysis of the malware more difficult to
achieve. In addition, the malware prevents browsers from accessing
antivirus solutions` files.
CEIDPageLock appears to focus on Chinese victims. Infection rates
number in the thousands for the county, and while Check Point has
recorded 40 infections in the United States, the spread of the malware
is considered `negligible` outside of China.
`At first glance, writing a rootkit that functions as a browser
hijacker and employing sophisticated protections such as VMProtect,
might seem like overkill,` Check Point says. `CEIDPageLock might seem
merely bothersome and hardly dangerous, the ability to execute code on
an infected device while operating from the kernel, coupled with the
persistence of the malware, makes it a potentially perfect backdoor.`
According to Trend Micro, exploit kits are still making inroads in the
cybersecurity landscape. RIG remains the most active, followed by
GrandSoft and Magnitude.