Fraud Management & Cybercrime , Malware as-a-Service

Adrozek Modifier Affecting Edge, Chrome, Firefox Browsers

Microsoft: Thousands of Devices Infected With the Ad-Injecting Malware
Adrozek Modifier Affecting Edge, Chrome, Firefox Browsers
The Adrozek attack chain. (Source: Microsoft)

Microsoft security researchers have been tracking a browser modifier dubbed Adrozek that is installed on an individual device and can modify four widely used browsers to inject ads into their search results.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The Microsoft 365 Defender Research Team says Adrozek has been attacking Microsoft Edge, Google Chrome, Yandex Browser and Mozilla Firefox since at least May with malware that injects ads into search engine result pages. Microsoft believes hundreds of thousands of devices could be affected.

"If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines," Microsoft says.

The attackers' desired result is for those searching a topic using specific keywords to inadvertently click on these malware-inserted ads, which lead to affiliated pages. With Mozilla Firefox, there are examples of Adrozek performing credential theft by adding an extra script that collects device information and the currently active username.

The browser modifier is still operating, Microsoft says, and anyone finding the malware on their device must reinstall the browser to eliminate the threat.

Information Security Media Group asked the browser publishers to comment, but did not immediately receive replies.

Abusing the Affiliate Ad Programs

Affiliate ad programs are set up by merchants who then pay third parties a fee for each lead or sale they help generate. Placing these ads high in the targeted search engines' result helps drive traffic to ads controlled by the threat actors. Microsoft notes that abusing these programs is old hat for cybercriminals, but Adrozek has brought something new to the table (see: Google Removes 500 Chrome Extensions Tied to Malvertising).

"The fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. In addition, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks," Microsoft says.

Microsoft researchers found the attackers have developed a very large support system for their scam. This includes creating 159 unique domains each hosting more than 17,000 unique URLs, which in turn host more than 15,000 unique, polymorphic malware samples.

Adrozek was spotted in hundreds of thousands of encounters between May and September, peaking in August when it was observed on over 30,000 devices every day, according to Microsoft.

"While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000. This massive infrastructure reflects how determined the attackers are to keep this campaign operational," the report notes.

So far, the injected ads are not pointing to any malicious sites and the threat actors are content to make money through the affiliate program, but Microsoft says this could change at any time.

Drive-By Downloads

The malware is installed on a device via a drive-by download when a user inadvertently visits one of the malicious domains controlled by the attacker. The malware is dropped into the browser's Program Files folder using a name that makes it appear to be audio-related software to help avoid detection.

Once installed, Adrozek makes multiple changes to the browser settings and components. These changes allow the malware to inject ads into search engine result pages. Changes are also made to browser extensions. For example, on Google Chrome, Adrozek normally modifies Chrome Media Router, one of the browser’s default extensions.

"Despite targeting different extensions on each browser, the malware adds the same malicious scripts to these extensions. In some cases, the malware modifies the default extension by adding seven JavaScript files and one manifest.json file to the target extension’s file path. In other cases, it creates a new folder with the same malicious components," Microsoft says.

These scripts are part of the communications process and connect to the command-and-control server, which handles injecting the desired malicious ads onto the victim's device.

Maintaining Persistence

The malware has several tools at its disposal to maintain persistence. First, the malware alters some of the browser DLLs to turn off security controls. Next, since most browsers can detect any unauthorized modifications, the malware puts in place a two-byte patch that nullifies the integrity check, which makes the browser potentially more vulnerable to hijacking or tampering, Microsoft says.

With the integrity check disabled, Adrozek proceeds to modify the security settings, making certain it does not affect the malware, Microsoft says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.