Adrozek Malware Silently Hijacks Microsoft Edge, Google Chrome, Yandex & Firefox Browsers

Recently, Microsoft 365 Defender Research affirmed that they had recorded a new malware that has been continuously attacking popular browsers like Google Chrome, Firefox, Microsoft Edge, and Yandex.

The malware is named Adrozek Malware, and it is specifically created to inject ads into search engine results pages. Since May 2020, this malware has been on track with the highest attacks reported in August 2020. 

According to Microsoft’s report, this malware has been attacking browsers on over 30,000 devices every day at an average rate. And Europe and Asia were severely affected by this malware from May to September.

Adrozek Malware

Distribution Infrastructure

The threat actors install this malware on the device through a drive-by download. However, the experts were tracking the Adrozek campaign from May to September 2020; And after tracking all the steps of Adrozek, they noticed that 159 unique domains were used to administer hundreds of thousands of unusual malware samples.

Many domains hosted tens of thousands of URLs, and some of them had more than 100,000 unique URLs, with one hosting nearly 250,000.

Adrozek Malware

But, here, the most exciting fact of this malware is that many domains are distributing clean files like Process Explorer, possibly it is an attempt by the threat actors to enhance the reputation of their domains and URLs.

Readjusting Browser Components

Apart from this, there are some modifying browser components, and here we have mentioned them below:-

  • Extensions: This malware does some changes to specific browser extensions. The malware typically modifies “Chrome Media Router” on the browser’s default extensions on Google Chrome.
  • Browser DLLs: The malware further tampers with some specific browser DLLs. 
  • Browser security settings: In this, the browsers have security settings that specifically defend against malware tampering. 
  • Browser updates: This malware added a policy to turn off updates, to stop the browsers from being updated with the latest versions.

Ad Injection & Credential Theft

Once the malware is done tampering with various browser components and settings, it quickly gains the ability to inject ads on search results specifically on the affected browsers. Moreover, Adrozek threat actors work in the same way as other browser modifiers do to earn through affiliate ad programs, which compensate for referral traffic to specific websites.

By doing credential theft, the threat increases most of its performance. However, the threat actors download an additional randomly named .exe file that assembles device information and the currently active username.

According to the experts, the threat actors of Adrozek makes the threat more complex and critical those are not so important. But, the Microsoft Defender Antivirus has a built-in endpoint protection solution on Windows 10 and have used behavior-based, machine learning-powered disclosures to prevent Adrozek.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.