A rootkit called CEIDPageLock is being distributed using an exploit kit in recent weeks and it was first discovered in the wild several months ago according to a report from a researcher at Check Point. The CEIDPageLock was found when the malware attempted to tamper with a users browser by trying to turn the homepage into 12345.com as a genuine directory for weather forecasts, TV listing and more.
What does this malware do?
The CEIDPageLock is sophisticated for a browser hijacker and the new features to the malware such as monitoring users have been added and also the power to change the websites that the user visits to fake home pages.
The malware is currently targeting the Microsoft Windows Systems and it extracts 32-bit kernel mode driver which is saved in the Windows temporary directory with the filename as “houzi.sys”. The file gets executed as the standard procedure during the setup process. The malware sends the victim PC’s mac address and user ID to a custom domain controlled by command and control server and when the victim starts browsing web pages the desired malicious configuration get inserted which leads to threat actors obtaining account credentials and victims being issued malicious payloads and also getting the data of the victims without their consent.
“They then either use the information themselves to target their ad campaigns or sell it to other companies that use the data to focus their marketing content,” the Checkpoint team says.
New Features in the Malware…
The latest iteration of the malware is packaged with VMProtect hence it’ll be harder for the Checkpoint group to perform analysis o the malware archive, The CEIDPageLock is currently targeting Chinese victims and the infection rates of the malware have grown to thousands in some countries but minimal in others such as in the US where there are only around 40 reports so far.
“At first glance, signing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill,” Check Point says. “CEIDPageLock might seem slightly bothersome and hardly dangerous, the ability to execute code on an affected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor.”
Take your time to comment on this article.