Microsoft has raised the alarm about a new breed of malware called Adrozek that is capable of infecting users’ devices, stealing data, hijacking browsers, and modifying its settings in order to inject ads into search results pages.
The malware has been active since at least May 2020, and peaked in August of this year when it was controlling more than 30,000 browsers each day.
The Microsoft research team believes that the number of infected users is much higher, and Microsoft researchers said: between May and September 2020, they discovered hundreds of thousands of infections with the Adrozek software around the world.
Microsoft says: The malware is distributed through classic download systems, and users are usually redirected from legitimate sites to suspicious domains where they are tricked into installing the malware.
Once installed, the adrozek malware looks for the installed browsers, and when it finds the browsers, it attempts to force the extension to be installed by modifying the AppData folder.
Adrozek mods some browser DLL files; To change browser settings, disable browser security features, and not detect unauthorized modifications.
Modifications that the malware makes include:
- Disable browser updates.
- Disable file integrity checks.
- Disable the Safe Browsing feature.
- Register and activate the extension you added.
- Allow malicious plugins to run in incognito mode.
- Allow the extension to run without appropriate permissions.
- Hide extension from toolbar.
- Modify the default browser home page.
- Modify the browser’s default search engine.
These steps allow the malware to inject ads into search result pages, allowing its operators to generate revenue by directing the traffic toward the ads.
Microsoft says: The Adrozek includes a secondary feature that works via the Firefox browser, so that it extracts data from the browser and sends it to the attacker’s servers.
So far, Microsoft has tracked 159 domains that have hosted Adrozek since May 2020, so that each domain hosted an average of 17,300 unique dynamically generated URLs, and each URL hosted more than 15,300 samples of dynamically generated malware.