Microsoft has warned of a malware that secretly injects ads into search results on browsers. A recent report from Microsoft 365 Defender Research Team shares details about a persistent malware campaign using browser modifiers dubbed “Adrozek.”
“A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day,” Microsoft said in a blog post. “The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers — Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox — exposing the attackers’ intent to reach as many Internet users as possible,” it said.
If it goes undetected, the malware makes changes to security preferences of devices, turn off updates, modifies browser settings and in some cases, steals user credentials.
Once installed, Adrozek can add browser extensions, modify a specific DLL per target browser, and change browser settings “to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines.”
For instance, searching for certain keywords can cause users to inadvertently click on malware-inserted ads, which lead to affiliated pages. It can also exfiltrate website credentials posing additional risks.
For instance, on Google, the malware typically modifies “Chrome Media Router” on of Chrome’s default extensions. It uses IDs of legitimate extensions such as “Radioplayer” for disguise on Microsoft Edge and Yandex Browser.
The malware also sends information about the device to the said remote server. It uses drive-by download method for installation on targeted devices. It leverages unique domains to distribute hundreds of thousands of unique malware samples.
Microsoft’s team of security researchers have tracked 159 unique domains, “each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average.”
“In total, from May to September 2020, we recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with heavy concentration in Europe and in South Asia and Southeast Asia,” the team said.
Microsoft suggests using advanced security solutions that can detect and block such malware families.