Users or organizations with malicious intents have emphasized their mark on this unfortunate year. The methods they use range from malware, spyware, ransomware to even targetting Covid-19 supply chains. Now, there is a dangerous ongoing malware campaign called Adrozek threatening to target users and steal data across multiple browser platforms.
A Sophisticated Malware Campaign
Microsoft released a report less than 24 hours ago, warning that there is an ongoing and very persistent malware campaign that effectively pushes ads containing malware via search results. The Microsoft 365 Defender Research team stated that the objective of the campaign is to inject an abundance of affiliate links into users’ search results, making this a form of adware. Consequently, the goal is to reach as many people as possible and to profit from it. Microsoft named this type of malicious code, Adrozek. This type of code belongs to a group of browser modifiers. The threat injects ads into search engine results pages (SERPs). Adrozek is a multi-browser cross-platform malware campaign that affects; Yandex Browser, Google Chrome, Microsoft Edge as well as Mozilla Firefox, and possibly more. Browser modifiers are nothing new, but what makes Adrozek different is that it can act on multiple browsers while constantly extracting credentials. It will also crawl into the small cracks in the targetted device’s system architecture.
Further Information About Adrozek
According to the official Microsoft report, the Adrozek malware is believed to have been active since May 2020, having peaked somewhere in August. More than 30,000 devices were being affected daily at the time of the peak.
Browser Modification
The malware installs browser extensions, changes browser settings, and modifies DLLs to place scam ads in front of authentic ads when a user searches on a search engine. It is also able to mutate and evolve, which makes it potentially very dangerous.
Theft of Credentials
Adrozek is very dangerous not only because it is ongoing and very persistent, but because it can steal credentials and extract data to malicious servers like it is already doing on Mozilla Firefox.
Malicious EXE Files
Microsoft has confirmed that the malware includes malicious installers such as ‘quickaudio.exe’, ‘converter.exe’, and ‘audiolava.exe’ that, once installed, hijack the browser on the machine and make multiple changes.
Modifying System Settings
Adrozek doesn’t stop there. While it messes with the browser settings, it delves into system settings and parameters to gain control of the device where it stores its own registry keys. To add to the persistence, it also creates a service for itself that can run in the background.
Large-Scale Attack Operation
Adrozek is de facto a big operation operating throughout the globe, hosting thousands of URLs, hundreds of domains, and tens of thousands of unique malware samples. The concentration is highest in areas of Asia and Europe, at the moment.
How To Stop Adrozek
The image examples on the official report page are crucial to be able to confirm if a browser is infected. Microsoft has also included an attack distribution map, which they say is growing every day. They have stated that to effectively protect from such advanced campaigns it is important that behavior-based detection and visibility into the entire attack chain are ensured. Using Microsoft Defender 365 which is already trained to fight Adrozek, is one suggestion. If the user is using Edge, using Smartscreen is a good idea. One should avoid any ‘drive-by‘ (hidden) downloads, so users must keep all software up to date. If the malware is found, it is advisable to re-install the browser, install anti-malware software, and always keep protection software updated. Finally, a user should always check the legitimacy of what they are downloading.
