CeidPageLock Malware

CeidPageLock Malware hijacks Browser and Redirects Fake Pages

CeidPageLock Malware is currently being distributed by the RIG exploit kit.

CeidPageLock Malware

CeidPageLock RootKit appears again with more improved features by the RIG exploit kit. This version of malware involves monitoring browsing activities, replace sites with fake pages and to redirect users to fake pages.

This rootkit was first discovered a few months ago by 360 Security Center. It was identified attempting to mess with the homepage of a victim’s browser. CEIDPageLock malware is a browser hijacker. It controls the victim’s browser and changes their home-page to a site appearing to be 2345.com – a Chinese web directory.

2345.com

This malware targets Microsoft Windows systems.

Researchers from Check Point’s global sensors noticed that infection is spread to Chinese Victims, and a little bit to other countries. This malware collects information about the users browsing history and amount of time spent on each website.

Country No. of Hits
China 11,000
US 40
Taiwan 18
Hong Kong 10
United Kingdom 5
Denmark 5
Japan 2

Table: Number of infections by country

CeidPageLock Dropper

The dropper’s main function is to extract the driver which stores within the file and to save it in “\\Windows\\Temp” directory with the name “houzi.sys” (older version of the driver was named “CEID.sys” – which is the reason for the malware’s name).
After the successful execution of driver, it sends the system details to the C&C server(having domain www[.]tj999[.]top ). These system details include : mac address and user-id of the system.

header-malware

The dropped driver has a certificate signed by

  1. 浙江恒歌网络科技有限公司
  2. Thawte Code Signing CA – G2
  3. thawte

 

A further deep technical analysis for the older version can be found in 360 Security’s publication.

Further, Researchers stated that- “CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor”.

IOCs:

www[.]tj999[.]top
42.51.223.86
118.193.211.11

MD5:

C7A5241567B504F2DF18D085A4DDE559 – packed dropper
F7CAF6B189466895D0508EEB8FC25948 – houzi.sys
1A179E3A93BF3B59738CBE7BB25F72AB – unpacked dropper

 

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our Google+ Pages.

Also Read:  

Leave a Reply

Your email address will not be published. Required fields are marked *