US-based tech giant Microsoft has reported that Google Chrome, Firefox, Microsoft Edge, and Yandex browsers are affected by an ongoing malware campaign that injects advertisements into search results and includes malicious browser extensions.
A persistent malware campaign called Adrozek has been using an evolved browser modifier to deliver fraudulent advertisements to search engine pages, according to Microsoft. The attack of the newly discovered malware has tremendously increased and now affects around 30,000 devices per day.
The ultimate purpose of the new malware campaign is to direct users to associated pages by serving search results with malware-inserted advertising. The malware quietly adds malicious browser extensions to begin the action and changes browser settings to inject advertisements into web pages, often on top of legitimate search engine advertisements. It is also claimed to modify DLL per target browser, MsEdge.dll on Microsoft Edge, for instance, to turn off security controls.
The researchers found that the malware was installed just like a normal program and that applications and features could be accessed through settings. It is also registered as a windows service of the same name. These tricks may help it from getting caught by ordinary antivirus software.
“Despite targeting different extensions on each browser, the malware adds the same malicious scripts to these extensions. In the past, browser modifiers calculated the hashes like browsers do and update the Secure Preferences accordingly. Adrozek goes one step further and patches the function that launches the integrity check,” posted Microsoft researchers team in the blog.
What makes Adrozek different from previous malware threats is that it gets installed on devices “though drive-by download” in which the installer file names carry a standard format of setup_.exe. When running, the installer drops a .exe file in the temporary folder with a random file name, which in turn drops the main payload in the Program Files folder. This payload seems like a legitimate audio-related software and bears names such as Audiolava.exe, QuickAudio.exe, or converter.exe.
It is also found that Adrozek is capable of stopping browsers from upgrading to the new versions by inserting a policy to disable updates. Additionally, it alters system settings to have more control of the compromised computer.
The researchers said Adrozek has high concentrations in Europe, South Asia, and Southeast Asia regions. However, as the campaign is still active, it may spread to other geographies over time.
Microsoft is recommending users to install an antivirus solution such as Microsoft Defender Antivirus, which uses behavior-based, machine-learning-powered detects to block malware families, like Adrozek, with an integrated endpoint security solution. The scope of the latest malware campaign is limited to Windows devices, as there are no findings to show its impact on macOS or Linux machines.