Microsoft Exposes New Adrozek Malware That Is affecting Edge, Chrome, and Firefox Browsers with Adware
Microsoft has raised the alarm about a new malware strain that infects users’ devices and then proceeds to modify browsers and their settings to inject ads into search results pages.
Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day.
Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Between May and September 2020, they observed hundreds of thousands of encounters of the Adrozek malware across the globe, with a heavy concentration in Europe and South Asia, and Southeast Asia.
Currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software.
The booby-trapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key. Once persistence is assured, the malware will look for locally installed browsers such as Microsoft Edge, Google Chrome, or Mozilla Firefox.
If any of these browsers are found on infected hosts, the malware will attempt to force-install an extension by modifying the browser’s AppData folders.
To make sure the browser’s security features don’t kick in and detect unauthorized modifications, Adrozek also modifies some of the browsers’ DLL.
All of this is done to allow Adrozek to inject ads into search results pages, ads that allow the malware gang to gain revenue by directing traffic towards ad and traffic referral programs.
Adrozek also contains a secondary feature that extracts credentials from the browser and uploads the data to the attacker’s servers.
Microsoft says the Adrozek operation is sophisticated, and especially in regards to its distribution infrastructure. It tracked 159 domains that hosted Adrozek installers since May 2020. Each domain hosted on average 17,300 dynamically-generated URLs, and each URL hosted more than 15,300 dynamically-generated Adrozek installers.
“While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000. This massive infrastructure reflects how determined the attackers are to keep this campaign operational,” Microsoft said.
Due to its prolific use of polymorphism to constantly rotate its malware payloads and distribution infrastructure, Microsoft expects the Adrozek operation to grow even more in the coming months.
In case users notice that their browsers are returning search results with a large number of ads, the Microsoft Adrozek report contains indicators of compromise that will help them determine if they’ve been infected. Microsoft Advised End users who find this threat on their devices to re-install their browsers.