Microsoft announced the emergence of a new malware called Adrozek, which infects users’ devices and changes the settings of their browsers in order to place ads in search results.
According to the company, the malware has been active since at least May of this year and peaked in August, when it monitored more than 30,000 infected browsers daily.
“However, the real number of infected users is much higher, because between May and September 2020, experts recorded “hundreds of thousands” of Adrozek detections around the world”, – say Microsoft analysts.
Europe appears to be the hardest hit by the new threat, followed by South and Southeast Asia.
Currently, malware is spread using classic drive-by attacks. That is, users are redirected from legitimate sites to the domains of the attackers, where they are tricked into installing malware, which then ensures itself a permanent presence in the system by registering in the registry.
Once in the system, Adrozek will search for locally installed browsers, including Microsoft Edge, Google Chrome, Mozilla Firefox, and Yandex Browser. If a target is found, the malware tries to force its extension by modifying the AppData folder.
To ensure that browser protection does not work and does not detect unauthorized modifications, Adrozek also modifies some browser DLLs, settings and disables security mechanisms. So, the malware makes the following changes:
- disables browser updates;
- disables file integrity checks;
- disables safe browsing features;
- registers and activates the extension added in the previous step;
- allows a malicious extension to run in incognito mode;
- allows launching the extension without obtaining the appropriate rights;
- hides the extension from the toolbar;
- changes the browser’s default home page;
- changes the default search engine.
All of this is done so that Adrozek can advertise on search results pages. Due to this advertising, malware operators receive income by directing traffic to advertising sites or referral programs.
Worse, in the case of Firefox, the malware also extracts credentials from the browser and sends them to the attackers’ server.
Microsoft writes that Adrozek’s operations are extremely complex, especially when it comes to distribution infrastructure. Since May 2020, the company has tracked 159 domains that hosted Adrozek installers. Each domain hosted an average of 17,300 dynamically generated URLs, and each URL hosted over 15,300 dynamically generated Adrozek installers.
“While many of the domains contained tens of thousands of URLs, some had over 100,000 unique URLs, and on one we found nearly 250,000 URLs. This massive infrastructure reflects the determination of the attackers to keep this campaign running. Some of these domains have been active for only one day, while others have been active for much longer (up to 120 days)”, — wrote the experts, adding that the scale of Adrozek’s operations is likely to increase in the next months.
Let me remind you that recently I also talked about Jupyter malware, that steals data from Chromium, Firefox and Chrome browsers.
