Microsoft revealed on Thursday that Google Chrome, Firefox, Microsoft Edge and Yandex browsers have been affected by the ongoing malware, which was designed to add ads to the search results and expand malware. The newly discovered malware family, known as Adrozek, has been scaling since at least May this year, with the attack peaking in August, with more than 30,000 devices being detected every day.
From May to September, Adrozek recorded hundreds of thousands of malware encounters globally, Microsoft said. The company has tracked down 159 unique domain names, each with an average of 17,300 addresses, which in turn accept an average of more than 15,300 different, multi-form malware samples.
The ultimate goal of the new malware campaign is to guide users to relevant pages by providing ads that include malware in search results. However, in order to get started, malicious software silently expands malicious browsers and changes the browser settings to place ads on websites – on top of the legitimate ads of most search engines. To close security controls, MsEdge.dll in Microsoft Edge is required to modify the DLL on each browser.
A Microsoft 365 advocacy research team pointed out in a blog post that although netizens abused related programs, the campaign used some malicious software that affected many browsers. Malicious software may also remove website licenses, posing additional risks to users.
Unlike Adrozek’s previous malware threats, it is installed on “driver download” devices and includes the standard format of the installation file named setup_.exe. When executed, the installer dumps the .exe file with a random file name into the temporary folder, which in turn reduces the main load on the program folder. This payload is similar to legitimate audio-related software and includes names such as Audiolava.exe, QuickAudio.exe, or converter.exe.
The researchers found that the malware was installed as usual and could be accessed through app and feature settings. It is registered as a Windows service of the same name. These methods may prevent it from catching common antivirus software.
However, like other malicious software, Adrozek is making changes to some browser extensions. The Microsoft team specifically mentioned this in Google Chrome. It usually modifies the default Chrome Media Router extension. Similarly, in Microsoft Edge and Yandex browsers, it uses legally extended IDs such as “Radioplayer”.
“Although each browser targets different extensions, malware adds malware like this extension,” Microsoft said in a research blog.
Malicious documents help attackers establish links with their servers and allow them to inject ads into search results.
“In the past, browser modifiers were as busy as browsers and updated the security tendency accordingly. “Adrozek has taken another step forward and improved the ability to start integrity checks.”
Adrozek has also been found to be able to prevent browser updates from being updated with the latest version by adding an update lock policy. In addition, it can change the system settings and add additional control over the damaged device.
In Europe, South Asia and Southeast Asia, Adrozek concentrations were more severe, the researchers said. However, as the event is still active, it may expand to other geographical locations over time.
Microsoft has advised users to install antivirus solutions, such as Microsoft’s anti-virus software, which includes built-in antivirus solutions, which are action-oriented, to prevent malicious families such as Adrozek from testing machine learning.
In other words, the scope of the latest malware action seems to be limited to Windows devices, as there are no findings that highlight its impact on macOS or Linux machines.
Earlier this year, Microsoft released a list of extensions from its Edge Add-ons store that included ads for Google and Bing search results. Google has also taken a similar action in the Chrome Web Store, silently pushing attackers to generate revenue for ad search results. However, malicious software such as Adrozek seems to require a stricter approach to attracting some extensions from online stores.
