CEIDPage is delivered via the RIG exploit kit and was detected when it made an attempt to interfere with a victim’s browser. The malware tried to turn a victim’s homepage into 2345.com, which is a legitimate Chinese directory for TV listings, weather forecasts, and more. Researchers claim that “CEIDPageLock is sophisticated for a browser hijacker and now a bolt-on for RIG that has received ‘noticeable’ improvements.” The malware monitors victim’s browser activity and has the ability to change some websites with fake homepages. CEIDPage’s prime target is Chinese users using Windows-based systems, but there have been 40 infections in the United States as well. The dropper extracts a 32-bit kernel-mode driver that is saved in the Windows temporary directory as “houzi.sys.” The driver was signed with a certificate that has now been revoked by the issuer. The driver is hidden amongst standard drivers during setup and, when executed, the dropper will send the victim’s MAC address and user ID to a malicious domain that is controlled by a C&C server. The information will be used when the victim starts browsing in order to download the malicious homepage configuration. If the victim is redirected from the legitimate services to the forged ones, the attacker can hijack the victim’s credentials, collect data without user consent, and allow for malicious payloads to be deployed.
August 30, 2018