Several web browsers including Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox are affected by a new malware that is designed to inject ads into search results and add malicious browser extensions. Microsoft discovered the malware, Adrozek in May which peaked in August, affecting over 30,000 devices every day. The company explains that the Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorised ads into web pages, often on top of legitimate ads from search engines. The attackers earn through affiliate advertising programmes, which pay by the amount of traffic referred to sponsored affiliated pages. Typically, adware is not considered as serious threats, but they can still be dangerous as they are capable of extracting users' location and other credentials, therefore posing a risk to unauthorised access of personal information.
The company also explains that malware that is to designed to inject ads on web browsers is not new; however, the scale of browsers being affected by Adrozek indicates sophistication of the new malicious campaign. As mentioned, this allows attackers to exfiltrates website credentials, exposing affected devices to additional risks. The company says it had tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which, in turn, host an average of over 15,300 distinct, polymorphic malware samples. Countries that are most affected by this malware include India and western European counties.
In a blog post, Microsoft 365 Defender Research Team says Adrozek malware also modifies some of the browsers' DLL files to change browser settings and disable security features. When modified, the malware halts automatic browser security updates as well as allowing the malicious extensions to run without obtaining the appropriate permissions, and even hiding the extension from the toolbar. "In the past, browser modifiers calculated the hashes like browsers do and update the Secure Preferences accordingly. Adrozek goes one step further and patches the function that launches the integrity check. The two-byte patch nullifies the integrity check, which makes the browser potentially more vulnerable to hijacking or tampering," the company explained.
New blog post: Attackers have been actively distributing Adrozek, an evolved browser modifier, at scale. At its peak, the threat was observed on >30K devices every day. The malware injects ads into search results pages and affects multiple browsers. https://t.co/s62oAYI3oc— Microsoft Security Intelligence (@MsftSecIntel) December 10, 2020
At the moment, it appears that the malware is impacting devices running Windows OS and there's no information on devices with macOS or Linux systems. The Adrozek malware is installed on devices through a drive-by download. Microsoft says that users are advised to download Microsoft Defender Antivirus that has built-in endpoint protection solution on Windows 10, to block such threats using behaviour-based, machine learning-powered protections. End users who find this threat on their devices are advised to re-install their browsers, the company noted.