Microsoft said that from May to September, it recorded hundreds of thousands of encounters of malware attacks taking place globally through Adrozek.
Google Chrome, Firefox, Microsoft Edge, and Yandex browsers are affected by an ongoing malware programme intended to insert advertisements into search results and introduce malicious browser extensions, disclosed by Microsoft on Thursday. Dubbed Adrozek, the recently identified malware family has been on a large scale since at least May this year and the attacks peaked in August, with the threat being found on more than 30,000 computers every day.
Microsoft said that from May to September, hundreds of thousands of Adrozek malware experiences have been registered globally. The company monitored 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn hosted an average of over 15,300 separate, polymorphic malware samples.
The end purpose of the latest malware campaign is to direct visitors to associated sites by serving malware-inserted advertisements on search results. However to launch the action, the malware secretly instals malicious browser plugins and switches browser settings to apply advertisements to web pages—often on top of legitimate search engine ads. It is also claimed to change DLL by target browser, e.g. MsEdge.dll on Microsoft Edge, to deactivate security controls.
Microsoft’s 365 Protector Analysis team stated in a blog post that while cyber criminals exploiting affiliate schemes were not fresh, this effort utilised a piece of malware that infected several browsers. The ransomware also exfiltrates website credential that can pose additional risks to users.
What makes Adrozek distinctive from earlier malware threats is that it is installed on a computer named “By Drive-by-Download” in which the installer file names have the standard setup .exe style. As installed, the installer drops a.exe file with a random file name in the temporary folder, which in turn, drops the main payload in the application files folder. This payload seems to be a legal audio-related programme that has names like Audiolava.exe, QuickAudio.exe, or converter.exe.
Researchers also discovered that the ransomware is installed much as the normal software and can be reached from the Applications & Features settings. It’s even registered as a Windows service of the same name. These tricks can prevent it from being detected by ordinary antivirus software.
However much as any other malware that has been installed, Adrozek makes modifications to some browser extensions. This was clearly noted by the Microsoft team on Google Chrome. Usually, it modifies the default “Chrome Media Router” extension. Similarly, Microsoft Edge and Yandex Browser use legal extension IDs, such as “Radioplayer.”
“Despite targeting different extensions on each browser, the malware adds the same malicious scripts to these extensions,” said Microsoft’s research team in the blog post.
Malicious scripts help attackers connect to their server and fetch additional scripts that allow ads to be inserted into the search results.
“In the past, browser modifiers determined hashes as browsers do and modified Safe Preferences accordingly. Adrozek goes a step forward and patches the honesty check feature,” the post said.
Adrozek is also found to be able to block browsers from being upgraded with the new releases by adding a policy to turn off changes. In addition, it modifies the system configurations in order to provide more control over the compromised device.
Adrozek has been highly concentrated in Europe, South Asia, and South East Asia, the researchers said. However since the initiative is still ongoing, it may be expanded with time to other geographies.
Microsoft is recommending that users instal an antivirus system such as Microsoft Defender Antivirus that has an integrated endpoint security solution and uses behavior-based, machine-based learning to detect malware families, like Adrozek, that can be blocked.
Having said that the spectrum of the new malware campaign seems to be restricted to Windows computers, as there are no results to illustrate its effect on MacOS or Linux machines.
Earlier this year, Microsoft announced a list of extensions from its Edge Add-ons stores that inserted advertisements into Google and Bing search results. Google has already taken similar steps on the Chrome Web Store to restrict attackers from generating revenue by gently moving advertisements to check for results. However a ransomware campaign like Adrozek seems to take a harder approach to digging out any of the extensions from Web stores.