Ad-injecting malware hijacks Chrome, Edge, Firefox

When searching for things online, has a greater number of ads than usual been popping up at the top of your search results? If it has, and you’re using Microsoft Edge, Google Chrome, Yandex Browser, or Mozilla Firefox, you might have fallen prey to the ad-injecting Adrozek malware.

According to Microsoft, cybercriminals have been pushing it on users since at least May 2020 and, at its peak in August, it was observed on over 30,000 devices every day.

“Adrozek shows that even threats that are not thought of as urgent or critical are increasingly becoming more complex. And while the malware’s main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device,” the Microsoft 365 Defender Research Team warned.

Adrozek’s capabilities

Adrozek malware is capable of:

• Modifying browser extensions by adding malicious scripts to them, which fetch additional scripts to injecting advertisements into search results
• Modifying specific DLLs (depending on the browser), to turn off security controls that might detect its actions
• Modifying browser’s security settings/preferences to (for example) add permissions that enable the malicious extensions to have more control over Chrome APIs, or to prevent the browsers from being updated with the latest versions.
• Modifying several systems settings to have even more control of the compromised device and maintain persistence
• Stealing user credentials (on Firefox)

“Adrozek is installed on devices through drive-by download,” Microsoft explained. “In our tracking of the Adrozek campaign from May to September 2020, we saw 159 unique domains used to distribute hundreds of thousands of unique malware samples. As this campaign is ongoing, this infrastructure is bound to expand even further.”

The crooks behind this campaign are earning money through affiliate advertising programs, i.e., they are paid for traffic referred to sponsored affiliated pages. Microsoft says that they didn’t see the injected ads point to malicious sites, but that could easily change.

Prevention and mitigation

Microsoft says that its Defender Antivirus on Windows 10 blocks the ad-injecting Adrozek malware and, by now, other security solutions likely do as well.

Users who have been infected have been advised to re-install their browsers.

“Considering the massive infrastructure that was used to distribute this threat on the web, users should also educate themselves about preventing malware infections and the risks of downloading and installing software from untrusted sources and clicking ads or links on suspicious websites,” Microsoft added.

“For enterprises, defenders should look to reduce the attack surface for these types of threats. Application control allows organizations to enforce the use of only authorized apps and services.”