CeidPageLock Malware hijacks Browser and Redirects Fake Pages
CeidPageLock Malware is currently being distributed by the RIG exploit kit.
CeidPageLock RootKit appears again with more improved features by the RIG exploit kit. This version of malware involves monitoring browsing activities, replace sites with fake pages and to redirect users to fake pages.
This rootkit was first discovered a few months ago by 360 Security Center. It was identified attempting to mess with the homepage of a victim’s browser. CEIDPageLock malware is a browser hijacker. It controls the victim’s browser and changes their home-page to a site appearing to be 2345.com – a Chinese web directory.
This malware targets Microsoft Windows systems.
Researchers from Check Point’s global sensors noticed that infection is spread to Chinese Victims, and a little bit to other countries. This malware collects information about the users browsing history and amount of time spent on each website.
|Country||No. of Hits|
Table: Number of infections by country
The dropper’s main function is to extract the driver which stores within the file and to save it in “\\Windows\\Temp” directory with the name “houzi.sys” (older version of the driver was named “CEID.sys” – which is the reason for the malware’s name).
After the successful execution of driver, it sends the system details to the C&C server(having domain www[.]tj999[.]top ). These system details include : mac address and user-id of the system.
The dropped driver has a certificate signed by
- Thawte Code Signing CA – G2
A further deep technical analysis for the older version can be found in 360 Security’s publication.
Further, Researchers stated that- “CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor”.
C7A5241567B504F2DF18D085A4DDE559 – packed dropper
F7CAF6B189466895D0508EEB8FC25948 – houzi.sys
1A179E3A93BF3B59738CBE7BB25F72AB – unpacked dropper