The RIG Exploit kit that infected 1.3 million devices a few years ago is back and it’s up to no good again.
The RIG Exploit kit was responsible for infecting computers globally at a rate, on average, of 27,000 per day according to statistics released back in 2015.
The crippling malware is back in the form of something called CEIDPageLock, which is “being distributed by the RIG Exploit kit,” according to Check Point, a company that provides IT security products.
Today, RIG is the most active exploit kit, according to Trend Micro. By the second half of 2017, a number of major exploit kits had faded away but RIG has stuck around, Trend Micro said.
This version of the malware – which targets Window systems – tries to hijack your browser and turn your home page into 2345.com – a Chinese web directory, according to Check Point.
“It’s an illustrative example of the economic incentive for attackers,” Asaf Cidon, vice president of email security services at Barracuda Networks, told Fox News in an email.
“Instead of using the malware as a vehicle for ransomware, they prefer to use it as a mechanism for stealing credentials undetected, and then using those to launch follow up attacks from the compromised account,” Cidon added.
That economic incentive is realized when a hijacked browser redirects victims to search engines that share ad revenue with the referrers, Check Point said.
The malware also collects browsing data on its victims, monitoring what sites users visit and how long they spend on those sites. “They then either use the information themselves to target their ad campaigns or sell it to other companies that use the data to focus their marketing content,” according to Check Point.
The malware also incorporates VMProtect, making analysis difficult, Check Point added.
The infection rate, so far, for this new RIG Exploit kit malware is low and has hit mostly Chinese users but the potential to break out – based on past success – is there.
“The ability to execute code on an infected device while operating from the [software] kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor,” Check Point said.
The rootkit was first discovered by 360 Security Center.