1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Meet the malware which hijacks your browser and redirects you to fake pages

Discussion in 'General Malware And Security' started by starbuck, Aug 29, 2018.

  1. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,518
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    The malware is currently being distributed through the RIG exploit kit.

    adea2a506aad9592818456e4a122e4f5.png

    The RIG exploit kit, which at its peak infected an average of 27,000 machines per day, has been grafted with a new tool designed to hijack browsing sessions.

    The malware in question, a rootkit called CEIDPageLock, has been distributed through the exploit kit in recent weeks.

    According to researchers from Check Point, the rootkit was first discovered in the wild several months ago.

    CEIDPageLock was detected when it attempted to tamper with a victim's browser.
    The malware was attempting to turn their homepage into 2345.com, a legitimate Chinese directory for weather forecasts, TV listings, and more.

    The researchers say that CEIDPageLock is sophisticated for a browser hijacker and now a bolt-on for RIG has received "noticeable" improvements.

    Among the new additions is functionality which permits user browsing activities to be monitored, alongside the power to change a number of websites with fake home pages.

    The malware targets Microsoft Windows systems.
    The dropper extracts a 32-bit kernel-mode driver which is saved in the Windows temporary directory with the name "houzi.sys."
    While signed, the certificate has now been revoked by the issuer.

    When the driver executes, hidden amongst standard drivers during setup, the dropper then sends the victim PC's mac address and user ID to a malicious domain controlled by a command-and-control (C&C) server. This information is then used when a victim begins browsing in order to download the desired malicious homepage configuration.

    If victims are redirected from legitimate services to fraudulent ones, this can lead to threat actors obtaining account credentials, victims being issued malicious payloads, as well as the gathering of data without consent.

    "They then either use the information themselves to target their ad campaigns or sell it to other companies that use the data to focus their marketing content," the team says.

    The latest version of the rootkit is also packed with VMProtect, which Check Point says makes an analysis of the malware more difficult to achieve.
    In addition, the malware prevents browsers from accessing antivirus solutions' files.

    CEIDPageLock appears to focus on Chinese victims. Infection rates number in the thousands for the county, and while Check Point has recorded 40 infections in the United States, the spread of the malware is considered "negligible" outside of China.

    "At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill," Check Point says.
    "CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor."

    According to Trend Micro, exploit kits are still making inroads in the cybersecurity landscape.
    RIG remains the most active, followed by GrandSoft and Magnitude.


    Source:
    https://www.zdnet.com/article/meet-...-redirects-you-to-fake-pages/#ftag=RSSbaffb68
     

Share This Page