The RIG exploit kit, which at its peak infected an average of 27,000 machines per day, has been grafted with a new tool designed to hijack browsing sessions.
The malware in question, a rootkit called CEIDPageLock, has been distributed through the exploit kit in recent weeks.
According to researchers from Check Point, the rootkit was first discovered in the wild several months ago.
CEIDPageLock was detected when it attempted to tamper with a victim's browser. The malware was attempting to turn their homepage into 2345.com, a legitimate Chinese directory for weather forecasts, TV listings, and more.
The researchers say that CEIDPageLock is sophisticated for a browser hijacker and now a bolt-on for RIG has received "noticeable" improvements.
Among the new additions is functionality which permits user browsing activities to be monitored, alongside the power to change a number of websites with fake home pages.
The malware targets Microsoft Windows systems. The dropper extracts a 32-bit kernel-mode driver which is saved in the Windows temporary directory with the name "houzi.sys." While signed, the certificate has now been revoked by the issuer.
When the driver executes, hidden amongst standard drivers during setup, the dropper then sends the victim PC's mac address and user ID to a malicious domain controlled by a command-and-control (C&C) server. This information is then used when a victim begins browsing in order to download the desired malicious homepage configuration.
If victims are redirected from legitimate services to fraudulent ones, this can lead to threat actors obtaining account credentials, victims being issued malicious payloads, as well as the gathering of data without consent.
"They then either use the information themselves to target their ad campaigns or sell it to other companies that use the data to focus their marketing content," the team says.
The latest version of the rootkit is also packed with VMProtect, which Check Point says makes an analysis of the malware more difficult to achieve. In addition, the malware prevents browsers from accessing antivirus solutions' files.
CEIDPageLock appears to focus on Chinese victims. Infection rates number in the thousands for the county, and while Check Point has recorded 40 infections in the United States, the spread of the malware is considered "negligible" outside of China.
"At first glance, writing a rootkit that functions as a browser hijacker and employing sophisticated protections such as VMProtect, might seem like overkill," Check Point says. "CEIDPageLock might seem merely bothersome and hardly dangerous, the ability to execute code on an infected device while operating from the kernel, coupled with the persistence of the malware, makes it a potentially perfect backdoor."
According to Trend Micro, exploit kits are still making inroads in the cybersecurity landscape. RIG remains the most active, followed by GrandSoft and Magnitude.