A hot potato: The Microsoft Defender research team has identified a new malware campaign that targets the most popular web browsers to generate ad revenue for malicious actors. While it may appear harmless to the user, the sophisticated behavior of the malware indicates that it could be used to gain deeper access to the data on your Windows device.
Microsoft issued a warning this week about a widespread malware campaign that involves hijacking the most popular web browsers on tens of thousands of devices every day. Attackers can silently make changes to users’ computers to inject ads into search results and earn a significant amount of revenue.
Collectively, this family of browser exploits is called “Adrozek” and was first observed in May.
Attackers are using more than 100 domain names that host an average of 17,300 URLs. Microsoft researchers say they have found more than 15,300 unique malware samples. In just five months, they logged hundreds of thousands of Adrozek detections around the world, particularly in Europe, South Asia, and Southeast Asia.
The methods used by attackers are not new, but lately they have become more sophisticated and can now affect multiple browsers at the same time, including Google Chrome, Microsoft Edge, Mozilla Firefox, and the Yandex browser. Adrozek works by first adding browser extensions and modifying specific DLL files in your browser, so attackers can gain privileges to change settings. This allows them to insert additional advertisements in addition to the legitimate ones on the web pages you visit.
Adrozek is particularly effective on search engines like Google, where attackers can target users based on the keywords they are looking for. As seen in the image above, a user will typically see search results filled with various affiliate links at the top. The more people click on these links, the more money attackers make, as they are paid for the amount of traffic they can bring to those sponsored pages.
Microsoft explains that Adrozek could easily be used to cause further damage to target PCs by injecting additional malicious payloads and exfiltrating your website credentials. The entire infrastructure that the campaign enables dynamically changes over time, while the domains themselves are enhanced to appear more legitimate.
If you observe the above behavior on your system, a proposed solution is to simply reinstall the browsers you use and learn more about how to prevent malware infections like this.