New version of CEIDPageLock rootkit found distributed via RIG exploit kit

• The latest version of CEIDPageLock appears to focus on Chinese victims.
• Unlike the previous version of the rootkit, the new version comes packed with anti-analysis features.

A new version of CEIDPageLock rootkit has been discovered. The rootkit is being distributed by the RIG exploit kit (EK). The latest version of the rootkit is capable of hijacking browser sessions as well as monitoring browsing activities, replacing websites with fraud pages and redirecting victims to these fake pages.

According to security researchers at Check Point, who discovered the new version of CEIDPageLock, the rootkit was first discovered several months ago when it was making attempts to meddle with the homepage of a victim’s browser and replace it with a site pretending to be ‘2345.com’ - a Chinese web directory.

“While already quite sophisticated for a browser hijacker, the new version of the rootkit observed in the wild contains a few notable improvements that make it even more effective. Chiefly among them is a new functionality that monitors user browsing and dynamically replaces the content of several popular Chinese websites with the fake homepage, whenever the user tries to visit them” Check Point researchers said in a blog post.

Modus Operandi

The malware primarily targets Microsoft Windows systems. CEIDPageLock dropper comes signed with a Thawte Code Signing certificate that has already been revoked by the issuer. The main function of the dropper is to extract a 32-bit kernel-mode driver which resides within the Windows temporary directory with the name ‘houzi.sys’.

When the driver is executed, the malware sends the details of the infected system (such as the PC’s address and user ID) to the threat actor’s C2 server. This information is later used when a victim begins browsing to trick the victim into downloading the malicious homepage configuration.

This can allow attackers to perform a variety of nefarious activities on a victim’s computer, such as obtain account credentials, deliver malicious payloads and collect sensitive information without the consent of the user.

"They then either use the information themselves to target their ad campaigns or sell it to other companies that use the data to focus their marketing content," the Check Point’s security experts noted.

Rootkit targets Chinese victitms

The latest version of CEIDPageLock appears to focus on Chinese victims. The rootkit has already infected around 11,000 victims in the country. When compared to the first version, the new version comes packed with VMProtect, which makes the analysis on the malware more difficult.

"At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill. CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor" Check Point researchers said.