Your browser could be affected by an ongoing malware campaign: Microsoft
The browsers Google Chrome, Firefox, Microsoft Edge and Yandex are affected by an ongoing malware campaign that is designed to inject ads into search results and add malicious browser extensions, Microsoft revealed on Thursday. Dubbed Adrozek, the newly discovered malware family has been on a large scale since at least May of this year and the attacks peaked in August and the threat was noticed on more than 30,000 devices every day.
Microsoft It said that from May to September, it logged hundreds of thousands of Adrozek malware encounters around the world. The company crawled 159 unique domains, each with an average of 17,300 unique URLs, which, in turn, host an average of more than 15,300 different polymorphic malware samples.
The ultimate goal of the new malware campaign is to drive users to affiliate pages by serving malware-embedded ads in search results. However, to start the action, the malware silently adds malicious browser extensions and changes the browser settings to insert ads on web pages, often in addition to legitimate search engine ads. It is also stated that it modifies DLL by target browser, MsEdge.dll in Microsoft Edge for example, to disable security controls.
The Microsoft 365 Defender research team noted in a blog post While cybercriminals abusing affiliate programs was not new, this campaign used malware that affected multiple browsers. The malware also exfiltrates website credentials which can lead to additional risks for users.
What distinguishes Adrozek from previous malware threats is that it installs on devices “via automatic download” where the installer file names are in a standard setup_.exe format. When it runs, the installer places an .exe file with a random file name in the temporary folder, which, in turn, places the main payload in the Program Files folder. This payload looks like legitimate audio-related software and has names like Audiolava.exe, QuickAudio.exe, or converter.exe.
Researchers found that the malware is installed as a regular program and can be accessed through the Applications and Features settings. It is also registered as a Windows service with the same name. These tricks can prevent common antivirus software from detecting it.
However, like any other malware, once installed, Adrozek makes changes to certain browser extensions. The Microsoft team pointed this out specifically in Google Chrome. Usually it modifies the default extension “Chrome Media Router”. Similarly, in Microsoft Edge and Yandex browser, use IDs from legitimate extensions, such as “Radioplayer”.
“Despite targeting different extensions in each browser, the malware adds the same malicious scripts to these extensions,” the Microsoft team of researchers said in the blog post.
Malicious scripts help attackers to establish a connection to your server and obtain additional scripts that allow injecting ads into search results.
“In the past, browser modifiers calculated hashes the way browsers do and update secure preferences accordingly. Adrozek goes one step further and patches the function that launches the integrity check, ”the post said.
Adrozek is also able to prevent browsers from updating to the latest versions by adding a policy to disable updates. Also, change the system settings for additional control of the compromised device.
There has been a large concentration of Adrozek in Europe, South Asia and Southeast Asia, the researchers said. However, as the campaign is still active, it could expand to other geographies over time.
Microsoft suggests users to install an antivirus solution like Microsoft Defender Antivirus that has a built-in endpoint protection solution, which uses behavior-based and machine learning-based detectors to block malware families, including Adrozek. .
That said, the scope of the latest malware campaign seems limited to Windows devices, as there are no findings to highlight their impact on Mac OS or Linux machines.
Earlier this year, Microsoft pulled out a list of extensions of its Edge Add-ons stores that injected ads into Google and Bing Search results. Google also took a similar action on the Chrome Web Store to prevent attackers from generating revenue by silently sending ads to search results. However, a malware campaign like Adrozek seems to require a tougher approach than removing some extensions from web stores.