NewDelhi December 13 :The latest blog post shared by the Microsoft 365 Defender Research team has warned readers about a new malware that has been attacking browsers such as Google Chrome, Firefox, Microsoft Edge, and Yandex.
The malware dubbed Adrozek is believed to have been at play since May 2020 with maximum attacks being reported in August 2020. It has been attacking browsers on over 30,000 devices daily at an average.
As per the Microsoft report, Adrozek is primarily prevalent in Europe, South Asia, and Southeast Asia, but may spread to other geographies soon as the campaign is still active.
Microsoft recommends users to use antivirus solutions such as Microsoft Defender, which offers endpoint protection, to be able to block this malware.
What does the malware do?
As per the Microsoft 365 Defender Research blog, Adrozek’s main function is to direct users to affiliate pages, which it accomplishes by adding malicious browser extensions. The malware also changes the browser settings of users to inject advertisements into webpages. It has been making changes to the Dynamic Link Library (DLL) files on browsers. For instance, when targeting Microsoft Edge, it is turning off MsEdge.dll, which is the security control of the browser.
The unique malware campaign that was identified in 2020 not only affects multiple browsers, but also exfiltrates website credentials, which exposes users to additional risks. Adrozek can additionally prevent browsers from getting updated to their latest versions by inserting policies that would turn off updates.
How does the malware work?
Adrozek gets installed in a device through the “drive-by download” method. The Microsoft blog post explains: “When run, the installer drops an .exe file with a random file name in the %temp% folder. This file in drops the main payload in the Program Files folder using a file name that makes it look like a legitimate audio-related software. We have observed the malware use various names like Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed like a usual program that can be accessed through Settings>Apps and features and registered as a service with the same name.”
When attacking Microsoft Edge and Yandex, Adrozek uses IDs of legitimate extensions, whereas, on Google Chrome, it modifies the browser’s default “Chrome Media Router” extension. The malware attacks different extensions on every browser but uses the same scripts to infect the extensions. This helps it connect the browser to the server and insert ads into search results.