Microsoft warns of Adrozek infecting browsers

Microsoft has warned of malware theft software called Adrozek, which affects all known browsers and has infected as many as 30.000 devices every day.

On compromised computers, Adrozek inserts ads into search engine results pages and may invade Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox.

The malware uses scripts downloaded from servers controlled by Adrozek operators to insert ads into the compromised web browser.

Η Microsoft recommends to users who find this threat on their devices, reinstall their browsers.

If Adrozek is not detected and blocked, it goes and adds browser extensions, modifies a specific DLL per browser and changes the browser settings to insert additional, unauthorized ads on web pages. ”

Although Microsoft has not yet found evidence that Adrozek is being used to promote malware on its victims' computers through advertisements, this can happen at any time.

Attackers can easily get infected with their targets, with additional malicious data or sell their access to other gangs in cyberspace.

Adrozek attackers are currently operating in the same way as other browser modifiers. That is, by making money through affiliate ads, which pay for referral traffic to specific sites.

The intended result is that users who search for specific keywords inadvertently click on these maliciously inserted ads, which lead to linked pages.

Hundreds of thousands of infected devices
In total, this ongoing campaign has so far used 159 domains and approximately 17.300 unique URLs and has managed to infect hundreds of thousands of devices, from May to September 2020.

Seeing that this massive campaign is still active and spreading to new computers every day, the Adrozek infrastructure continues to expand and add new domains. "The distribution infrastructure is also very dynamic. "Some of the domains operated for a single day, while others were active for up to 120 days," Microsoft said.

Interestingly, some of the domains distribute clean files such as Process Explorer, possibly an attempt by attackers to improve the reputation of these domains and their URLs, to avoid network security programs.

As you will see below, from the map of the geographical distribution of malware, Greece is highly infected, as is the whole of Europe.

Adrozek features
Between May and September 2020, the attackers behind Adrozek infected their targets with an extremely vague malicious executable file, which is stored in the% temp% folder of the computer. It is a binary file that later installs the main malicious load on the program files and is covered as legitimate audio software

Once installed on the device, Adrozek will start adding malicious scripts that it uses to insert ads in various extensions for each of the browsers.

The malware will disable security controls in Microsoft Edge and other Chromium-based web browsers, disable secure browsing, and enable breached extensions in incognito mode.

It will also turn off automatic browser updates to ensure that compromised browser data is not restored to a clean version.

Adrozek insists on adding registry entries and creating a new Windows service called "Main Service" to automatically start the main malware load when the system starts.

On systems where Mozilla Firefox is installed, Adrozek will also steal encrypted user credentials from victims' profiles.

Thus, while the main purpose of malware is to inject ads and report traffic to specific sites, the attack chain includes sophisticated behavior that allows intruders to gain a strong foothold in a device.