Google Chrome, Firefox, Microsoft Edge and Yandex have become the latest targets of an ongoing malware campaign, dubbed Adrozek, as revealed by Microsoft. The malware injects ads into search results and adds malicious browser extensions. The company claims that this virus has been at scale since at least May, with the attacks peaking in August, with the threat being noticed on more than 30,000 devices every day.
The main goal for Adrozek is to lead people to affiliate pages. It is doing so by silently adding malicious browser extensions and changing the browser settings to insert ads into webpages. It is also modifying the Dynamic Link Library (DLL) files per target browser, for example, it is turning of MsEdge.dll on Microsoft Edge, which is basically turning off the security controls of the browser.
Microsoft 365 Defender Research team in a blog post stated that this is a unique campaign as it affects multiple browsers and also exfiltrates website credentials that may bring additional risks to users.
Adrozek installs into a device via a “though drive-by download,” which basically carries a generic file name and a standard format of setup_.exe. When a user runs the programme, the installer puts a random .exe file into a temporary folder, which, in turn, drops the main payload in the Program Files folder. The payload holds names like Audiolava.exe, QuickAudio.exe or converter.exe, thus making people believe that it’s a legitimate audio-related software. The malware then installs just like a usual program, which shows up inside of the Apps & features settings. It is also registered as a Windows service. These tricks thus help it from getting detected by antivirus software.
On Google Chrome, Adrozek modifies the default “Chrome Media Router” extension, whereas, on Microsoft Edge and Yandex, it uses IDs of legitimate extensions, such as “Radioplayer.”Even though, it targets different extensions on each browser, it still uses the same malicious scripts to infect these extensions. These then help the attackers connect the browser to their server and then inject advertisements into search results.
Apart from injecting ads, Adrozek can also prevent browsers from being updated with the latest versions by adding a policy to turn off updates.
Microsoft claims, Adrozek is in high concentration in Europe, South Asia and Southeast Asia, as of now. It also added that, due to the campaign still being active, it could soon expand to other geographies soon.
The company recommends that users should use an antivirus solution like Microsoft Defender, which has endpoint protection and can block malware families.
0 Comments