Microsoft is warning about a new malware strain that infects a user’s device and adds browser extensions and changes settings to insert unauthorized ads into web pages.
In a blog post, the Microsoft 365 Defender Research Team calls this family of browser-modification malware Adrozek. The malware has been infecting devices since at least May, and was observed on more than 30,000 devices at its peak in August.
It’s designed to inject adds into search engine results pages on multiple browsers, including Microsoft Edge, Google Chrome, Yandex Browser and Mozilla Firefox, according to Microsoft.
“We call this family of browser modifiers Adrozek,” the Microsoft Team wrote. “If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines.
“The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.”
According to the Microsoft Team, browser modification malware aren’t necessarily new or all that advanced, but the fact that the malware can affect multiple browsers indicates a level of sophistication.
It also “maintains persistence and exfiltrates website credentials,” exposing users to additional risks if their device is infected.
The Microsoft experts said they tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average.
From May to September, the team recorded hundreds of thousands of encounters of the malware across the globe, with heavy concentration in Europe and Asia.
The malware is installed through drive-by download, and attackers relied on polymorphism, allowing them to “churn huge volumes of samples as well as to evade detection.”
“While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000,” the Microsoft team said.
“This massive infrastructure reflects how determined the attackers are to keep this campaign operational.”
Some domains were up for just one day, while others were active for up to four months. Some of the domains distributed clean files in an attempt to evade detection.
Users who find this malware on their devices should reinstall their browsers, educate themselves on malware infections and use URL filtering solutions.
As always, users should also make sure their security software and operating systems are up to date. At the enterprise level, IT managers should reduce the attack surface by deploying application control to enforce the use of only authorized apps and services.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!