Recently, Google Chrome, Microsoft Edge, and Firefox was infected by Adrozek malware. Read on to know more about it…
Recently, researchers at Microsoft revealed that major internet browsers like Google Chrome, Firefox, Microsoft Edge and Yandex are hit by a massive Adrozek malware campaign. The researchers said that this malware campaign has been active since at least May 2020. Microsoft revealed that the malware was at its peak in August and the threat was observed on over 30,000 devices every day.
Repercussions
This malware campaign called Adrozek is built to inject fraudulent ads into the search results and siphon off users’ personal information. The malware even disabled auto-updates for the web browsers. “If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines,” explained the researchers. Explaining the impact of the attack, Microsoft said, “We tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average.”
Mozilla Firefox was the worst affected by Adrozek as it was performing credential theft. It downloaded an additional randomly named .exe file, which collects device information and the currently active username. It sends this information to the attacker. “The malware targeted certain keywords like encryptedUsername and encryptedPassword to locate encrypted data. It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers,” Microsoft added.
“The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliate pages. The attackers earn through affiliate advertising programs, which pay by the amount of traffic referred to sponsored affiliated pages,” Microsoft explained.
Working Mechanism
To deliver the malware, the hackers have been resorting to drive-by downloads. This can occur when a user clicks on a malicious link or visits a website that’s been tampered with. The PC will trigger the malware to download, which can sometimes install itself on the computer by exploiting a software vulnerability.
In this case, Adrozek will drop an .exe file in the PC’s “temp” folder. The .exe file will then deliver the main malware payload in the “Programs Files” folder using a file name such as “Audiolava.exe, QuickAudio.exe, and converter.exe,” Microsoft said.
Microsoft tracked Adrozek’s distribution to 159 unique domains, which hosted tens of thousands of URLs to try and spread the malware.
Mitigation
Microsoft reported that “To prevent the browsers from being updated with the latest versions, which could restore modified settings and components, Adrozek adds a policy to turn off updates,”
To shield oneself against Adrozek and similar browser modifiers, Microsoft suggests that you do not download files from disreputable sources. You are also recommended to use antivirus services for protection. Also, as a precautionary measure, you should uninstall and then reinstall the web browsers you are using right now.
One can also use the Microsoft’s built-in Windows Defender antivirus that can detect and block Adrozek. Microsoft Defender Antivirus, the built-in endpoint protection solution on Windows 10, uses behaviour-based, machine learning-powered detections to block Adrozek.
It is recommended to update the web browsers and check for the additional plugins for suspicious activities.
Configuring security software to automatically download and install updates, as well as running the latest versions of the operating system and applications and deploying the latest security updates help harden endpoints from threats.