Google Chrome, Firefox, Microsoft Edge, and Yandex browsers are affected by an ongoing malware campaign that is designed to inject ads into search results and add malicious browser extensions, Microsoft revealed on Thursday. Dubbed Adrozek, the newly discovered malware family has been at scale since at least May this year and the attacks peaked in August with the threat being noticed on more than 30,000 devices every day.
Microsoft said that from May to September, it recorded hundreds of thousands of encounters of the Adrozek malware globally. The company tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which, in turn, host an average of over 15,300 distinct, polymorphic malware samples.
The ultimate aim of the new malware campaign is to lead users to affiliated pages by serving malware-inserted ads on search results. However, to begin the action, the malware silently adds malicious browser extensions and changes browser settings to insert ads into webpages — often on top of legitimate ads from search engines. It is also claimed to modify DLL per target browser, MsEdge.dll on Microsoft Edge for instance, to turn off security controls.
The Microsoft 365 Defender Research team noted in a blog post that although cybercriminals abusing affiliate programs was not new, this campaign utilised a piece of malware that affected multiple browsers. The malware also exfiltrates website credentials that may bring additional risks to users.
What makes Adrozek different from earlier malware threats is that it gets installed on devices “though drive-by download” in which the installer file names carry a standard format of setup_.exe. When run, the installer drops an .exe file with a random file name in the temporary folder, which, in turn, drops the main payload in the Program Files folder. This payload seems like a legitimate audio-related software and carries names like Audiolava.exe, QuickAudio.exe, or converter.exe.
Researchers found that the malware is installed just like a usual program and can be accessed through the Apps & features settings. It is also registered as a Windows service with the same name. These tricks may keep it from getting caught by ordinary antivirus software.
However, just like any other malware, once installed, Adrozek makes changes to certain browser extensions. The Microsoft team noted this specifically on Google Chrome. It typically modifies the default “Chrome Media Router” extension. Similarly, on Microsoft Edge and Yandex Browser, it uses IDs of legitimate extensions, such as “Radioplayer”.
“Despite targeting different extensions on each browser, the malware adds the same malicious scripts to these extensions,” said Microsoft researchers team in the blog post.
The malicious scripts help attackers establish a connection with their server and fetch additional scripts that allow injecting advertisements into search results.
“In the past, browser modifiers calculated the hashes like browsers do and update the Secure Preferences accordingly. Adrozek goes one step further and patches the function that launches the integrity check,” the post said.
Adrozek is also found to be capable of preventing the browsers from being updated with the latest versions by adding a policy to turn off updates. Additionally, it changes system settings to have additional control of the compromised device.
There has been a heavy concentration of Adrozek in Europe, South Asia, and Southeast Asia, said the researchers. However, as the campaign is still active, it could expand to other geographies over time.
Microsoft is suggesting users to install an antivirus solution like the Microsoft Defender Antivirus that has a built-in endpoint protection solution, which uses behavior-based, machine learning-powered detects to block malware families including Adrozek.
Having said that, the scope of the latest malware campaign seems limited to Windows devices as there are no findings to highlight its impact on macOS or Linux machines.
Earlier this year, Microsoft pulled a list of extensions from its Edge Add-ons stores that were injecting ads into Google and Bing search results. Google also took a similar action on Chrome Web Store to restrict attackers from generating revenues by quietly pushing ads to search results. However, a malware campaign like Adrozek seems to require a tougher approach over pulling some extensions from Web stores.
Will Apple Silicon Lead to Affordable MacBooks in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.