Microsoft has raised the alarm today about a new malware strain that infects users' devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages.
Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day.
But in a report today, the Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Microsoft researchers said that between May and September 2020, they observed "hundreds of thousands" of Adrozek detections all over the globe.
Based on internal telemetry, the highest concentration of victims appears to be located in Europe, followed by South and Southeast Asia.
How Adrozek spreads and works
Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software.
The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.
Once persistence is assured, the malware will look for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, or the Yandex Browser.
If any of these browsers are found on infected hosts, the malware will attempt to force-install an extension by modifying the browser's AppData folders.
To make sure the browser's security features don't kick in and detect unauthorized modifications, Adrozek also modifies some of the browsers' DLL files to change browser settings and disable security features.
Modifications performed by Adrozek include:
- Disabling browser updates
- Disabling file integrity checks
- Disabling the Safe Browsing feature
- Registering and activating the extension they added in a previous step
- Allowing their malicious extension to run in incognito mode
- Allowing the extension to run without obtaining the appropriate permissions
- Hiding the extension from the toolbar
- Modifying the browser's default home page
- Modifying the browser's default search engine
All of this is done to allow Adrozek to inject ads into search results pages, ads that allow the malware gang to gain revenue by directing traffic towards ad and traffic referral programs.
But if this wasn't bad enough, Microsoft says that on Firefox, Adrozek also contains a secondary feature that extracts credentials from the browser and uploads the data to the attacker's servers.
A massive operation expected to grow even further
Microsoft says the Adrozek operation is extremely sophisticated, and especially in regards to its distribution infrastructure.
The OS maker said it tracked 159 domains that hosted Adrozek installers since May 2020. Each domain hosted on average 17,300 dynamically-generated URLs, and each URL hosted more than 15,300 dynamically-generated Adrozek installers.
"While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000. This massive infrastructure reflects how determined the attackers are to keep this campaign operational," Microsoft said.
"The distribution infrastructure is also very dynamic. Some of the domains were up for just one day, while others were active for longer, up to 120 days."
All in all, due to its prolific use of polymorphism to constantly rotate its malware payloads and distribution infrastructure, Microsoft expects the Adrozek operation to grow even more in the coming months.
In case users notice that their browsers are returning search results with a large number of ads, the Microsoft Adrozek report contains indicators of compromise that will help them determine if they've been infected.
"End users who find this threat on their devices are advised to re-install their browsers," Microsoft said today.