Microsoft warns of Adrozek ad-injection campaign affecting all major browsers

Adrozek adds browser extensions which connect to the attacker's servers, modifies browser settings to inject ads, and disables security features

Microsoft on Thursday issued a warning in relation to a new malware campaign that is targeting Chrome, Edge, Firefox, Yandex and other major browsers on Windows machines to inject ads into the search results pages.

The campaign has been active since at least May 2020, according to Microsoft, and has already infected hundreds of thousands of devices with Adrozek malware.

"In total, from May to September 2020, we recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with heavy concentration in Europe and in South Asia and Southeast Asia," Microsoft researchers noted.

To infect a device, attackers drop a file in the Windows temporary folder, which in turn downloads the main payload with a file name that makes the malware appear to be legitimate audio-related application.

If not blocked, Adrozek adds browser extensions (which connect to the attacker's server) and modifies browser settings to inject unauthorised ads into web pages. It also tampers with browsers' DLL files to disable security features.

According to Microsoft, Adrozek is distributed using a polymorphism technique. It utilises 159 domains that host hundreds of thousands of unique samples. The technique makes malware samples difficult to detect as signature-based antivirus solutions become ineffective to identify the malware.

The ads injected by Adrozek are mainly affiliate links that enable the operators to get a cut for every purchase that are completed by the victim after clicking on the injected ads.

With the Firefox browser, the malware takes things a little further by attempting to steal user credentials from the device. It tries to find certain keywords to locate encrypted data in the device. After the data is found, it decrypts that data and then sends it to the attackers.

The group behind the campaign appears to be a skilled and advanced group, considering the fact that they were able to create a piece of malware that can infect multiple browsers. Moreover, the malware can also maintain persistence and exfiltrate user credentials, exposing them to additional risks.

The paths and extension IDs used by the malware for each browser are given below:

Browser

Extension paths examples

Microsoft Edge

%localappdata%\Microsoft\Edge\User Data\Default\Extensions\fcppdfelojakeahklfgkjegnpbgndoch

Google Chrome

%localappdata%\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm (might vary)

Mozilla Firefox

%appdata%\Roaming\Mozilla\Firefox\Profiles\<profile>\Extensions\{14553439-2741-4e9d-b474-784f336f58c9}

Yandex Browser

%localappdata%\Yandex\YandexBrowser\User Data\Default\Extensions\fcppdfelojakeahklfgkjegnpbgndoch

Source: Microsoft

Microsoft advises users infected by Adrozek to re-install their browsers.

"Considering the massive infrastructure that was used to distribute this threat on the web, users should also educate themselves about preventing malware infections and the risks of downloading and installing software from untrusted sources and clicking ads or links on suspicious websites," the researchers said.

"For enterprises, defenders should look to reduce the attack surface for these types of threats."

"It's also important for enterprises to gain deep visibility into malicious behaviours on endpoints and the capability to correlate with threat data from other domains like cloud apps, email and data, and identities."