Microsoft Warns of Adrozek Malware Infecting Over 30,000 Browsers

By Ava McKinneyOnline Safety

Microsoft Warns About Adrozek Malware Infecting Browsers

Microsoft has issued a warning about a new malware called Adrozek, which infects users’ devices and alters their browser settings to display ads in search results. According to the company, this malicious software has been active since at least May of this year and reached its peak in August, when it was controlling over 30,000 infected browsers daily. However, analysts believe the actual number of infected users is much higher, as experts detected “hundreds of thousands” of Adrozek infections worldwide between May and September 2020.

How Adrozek Works

The majority of victims are reportedly located in Europe, followed by South and Southeast Asia. Currently, the malware spreads through classic drive-by attacks, where users are redirected from legitimate websites to malicious domains. There, they are tricked into installing the malware, which then ensures its persistence by making changes to the system registry.

Once inside the system, Adrozek searches for locally installed browsers, including Microsoft Edge, Google Chrome, Mozilla Firefox, and Yandex Browser. If a target is found, the malware attempts to forcibly install its own extension by modifying the AppData folder. To ensure that browser protections do not detect these unauthorized changes, Adrozek also alters certain browser DLL files, settings, and disables security mechanisms. Specifically, the malware:

  • Disables browser updates
  • Disables file integrity checks
  • Disables safe browsing features
  • Registers and activates the malicious extension added in the previous step
  • Allows the malicious extension to run in incognito mode
  • Enables the extension to run without proper permissions
  • Hides the extension from the toolbar
  • Changes the default homepage
  • Changes the default search engine

All these actions are taken so that Adrozek can inject ads into search result pages. The operators of the malware profit from this by directing traffic to advertising sites or referral programs.

Additional Risks and Scale of the Attack

Even worse, in the case of Firefox, the malware also extracts credentials from the browser and sends them to the attackers’ server.

Microsoft notes that Adrozek’s operations are extremely sophisticated, especially regarding its distribution infrastructure. Since May 2020, the company has tracked 159 domains hosting Adrozek installers. Each domain hosted an average of 17,300 dynamically generated URLs, and each URL contained over 15,300 dynamically generated Adrozek installers.

“While many domains contained tens of thousands of URLs, some had over 100,000 unique URLs, and on one domain, we found nearly 250,000 URLs. This massive infrastructure reflects the attackers’ determination to keep this campaign running. Some of these domains were active for just one day, while others remained operational for up to 120 days,” Microsoft experts wrote, adding that the scale of Adrozek operations is likely to increase in the coming months.

Leave a Reply