On Thursday Microsoft warned that there’s an ongoing campaign to distribute malware that modifies web browsers to conduct credential theft and ad fraud.
Since at least May, 2020, unidentified cybercriminals have been distributing a family of browser modifiers dubbed Adrozek, Microsoft said. The code, which targets Google Chrome, Microsoft Edge, Mozilla Firefox, and Yandex Browser on Windows, mainly injects ads into search results pages.
“If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines,” the Microsoft 365 Defender Research Team said its blog post.
“The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages.”
Chrome extensions are ‘the new rootkit’ say researchers linking surveillance campaign to Israeli registrar Galcomm
The attackers make their money through participation in advertising affiliate programs, which pay for the online traffic referred to specific web pages. To date, these ads don’t appear to point to sites hosting other malware, but Microsoft suggests that could change at any time.
In Firefox, Adrozek also scans the victim’s device for stored user credentials and sends what it finds to the attacker.
Such attacks and tactics have been seen before, but according to Microsoft, the scale and complexity of the campaign, targeting multiple browsers via distributed infrastructure, shows cybercriminals becoming more sophisticated in their efforts.
Microsoft said it has detected 159 unique domains, each hosting an average of 17,300 unique URLS that each host more than 15,300 unique, polymorphic malware samples on average. Its systems measured hundreds of thousands of contacts with Adrozek malware, mainly in Europe, South Asia, and Southeast Asia. And the campaign is ongoing.
This distribution system offers up software for download that unwitting victims run. The installer drops a randomly named .exe file that installs a primary payload disguised as legitimate audio software in the Windows Program Files folder. The installed code then makes changes to various browser components and settings to enable ad injection and credential theft.
Adrozek also attempts to alter browser DLLs, such as MsEdge.dll in Microsoft Edge so changes to the Secure Preferences file won’t be noticed. In Chromium-based browsers, it modifies a security-related hash integrity check used to prevent tampering. It also adds a policy to prevent the browsers it subverts from being updated.
Microsoft says that its Defender Antivirus, which ships with Windows 10, can defend against Adrozek. And it advises those who find the malware on their system to reinstall their browser. ®