The browsers Google Chrome, Firefox, Microsoft Edge and Yandex are affected by an ongoing malware campaign that is designed to inject ads into search results and add malicious browser extensions, Microsoft revealed on Thursday. Dubbed Adrozek, the newly discovered malware family has been on a large scale since at least May of this year and the attacks peaked in August and the threat was noticed on more than 30,000 devices every day.
Microsoft said that from May to September, it recorded hundreds of thousands of Adrozek malware encounters around the world. The company crawled 159 unique domains, each with an average of 17,300 unique URLs, which in turn host an average of more than 15,300 different polymorphic malware samples.
The ultimate goal of the new malware campaign is to drive users to affiliate pages by serving malware-embedded ads in search results. However, to start the action, the malware silently adds malicious browser extensions and changes the browser settings to insert ads on web pages, often in addition to legitimate search engine ads. It is also claimed that it modifies the DLL by target browser, MsEdge.dll in Microsoft Edge, for example, to disable security controls.
The Microsoft 365 Defender research team noted in a blog post that while cybercriminals abusing affiliate programs was not new, this campaign used a piece of malware that affected multiple browsers. The malware also exfiltrates website credentials which can lead to additional risks for users.
What makes Adrozek different from previous malware threats is that it installs on devices “via automatic download” where the installer file names are in the standard setup_.exe format. When run, the installer places an .exe file with a random file name in the temporary folder, which, in turn, places the main payload in the Program Files folder. This payload looks like legitimate audio-related software and has names like Audiolava.exe, QuickAudio.exe, or converter.exe.
Researchers found that the malware is installed as a regular program and can be accessed through the Applications and Features settings. It is also registered as a Windows service with the same name. These tricks can prevent common antivirus software from detecting it.
However, like any other malware, once installed, Adrozek makes changes to certain browser extensions. The Microsoft team noticed this specifically in Google Chrome. Usually it modifies the default extension “Chrome Media Router”. Similarly, in Microsoft Edge and Yandex Browser, it uses IDs from legitimate extensions, such as “Radioplayer”.
“Despite targeting different extensions in each browser, the malware adds the same malicious scripts to these extensions,” the Microsoft team of researchers said in the blog post.
Malicious scripts help attackers to establish a connection to your server and obtain additional scripts that allow injecting ads into search results.
“In the past, browser modifiers calculated hashes the way browsers do, and updated secure preferences accordingly. Adrozek goes one step further and patches the function that launches the integrity check, ”the publication said.
Adrozek has also been found to be able to prevent browsers from updating to the latest versions by adding a policy to disable updates. Also, change the system settings for additional control of the compromised device.
There has been a large concentration of Adrozek in Europe, South Asia and Southeast Asia, the researchers said. However, as the campaign is still active, it could expand to other geographies over time.
Microsoft suggests users to install an antivirus solution like Microsoft Defender Antivirus that has a built-in endpoint protection solution, which uses behavior-based and machine learning-based detections to block malware families, including Adrozek.
That said, the scope of the latest malware campaign appears to be limited to Windows devices, as there are no findings highlighting its impact on macOS or Linux machines.
Earlier this year, Microsoft pulled a list of extensions from its Edge Add-ons stores that were injecting ads into Google and Bing search results. Google also took a similar action on the Chrome Web Store to prevent attackers from generating revenue by silently sending ads to search results. However, a malware campaign like Adrozek seems to require a tougher approach than removing some extensions from web stores.
Will Apple Silicon Lead to Affordable MacBooks in India? We talked about this on Orbital, our weekly tech podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.