Microsoft is warning about a new malware campaign targeting major browsers such as Google Chrome, Microsoft Edge, Yandex, and Mozilla Firefox that silently injects additional ads in into search engine results pages.
The new malware, which Microsoft called Adrozek, hijacks browsers by adding browser extensions, modifying a specific DLL, and changing browser settings. The goal of the malware is to inject additional, unauthorized ads into web pages, often on top of legitimate ads from search engines. When clicked, these ads lead users to affiliated sites which pay the attackers by amount of traffic received on their website via Adrozek.
The Adrozek campaign has been active since at least May 2020, and at its peak in August the malware had been observed on more than 30,000 devices. Microsoft said that from May to September 2020 it detected hundreds of thousands infections all over the world, with heavy concentration in Europe and in South Asia and Southeast Asia.
Adrozek is distributed via drive-by downloads from 159 domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic Adrozek samples on average.
Once installed, the malware proceeds to make multiple changes to the browser settings and components. It tampers with certain browser DLLs and modifies certain browser extensions by adding several JavaScript files responsible for injecting advertisements into search results, or by creating a new folder with the same malicious components. The malware also changes security settings in browsers to obtain reboot persistence using a registry key.
“To prevent the browsers from being updated with the latest versions, which could restore modified settings and components, Adrozek adds a policy to turn off updates,” Microsoft said.
In case of Firefox the malware steals user credentials, downloading randomly named .exe files that include device information and currently active username. Adrozek looks for specific keywords like encryptedUsername and encryptedPassword to locate encrypted data. It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers.
“Adrozek shows that even threats that are not thought of as urgent or critical are increasingly becoming more complex. And while the malware’s main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device. The addition of credential theft behavior shows that attackers can expand their objectives to take advantage of the access they’re able to gain,” Microsoft said.
The company recommends users who encountered this threat on their devices to re-install their browsers.