Adrozek malware hijacks browsers

Microsoft on Thursday took the wraps off an ongoing campaign impacting popular web browsers that stealthily injects malware-infested ads into search results to earn money via affiliate advertising.

“Adrozek,” as it’s called by the Microsoft 365 Defender Research Team, employs an “expansive, dynamic attacker infrastructure” consisting of 159 unique domains, each of which hosts an average of 17,300 unique URLs, which in turn host more than 15,300 unique malware samples.

The campaign — which impacts Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox browsers on Windows — aims to insert additional, unauthorized ads on top of legitimate ads displayed on search engine results page.

Microsoft said the browser modifier malware was observed since May this year, with over 30,000 devices every day at its peak in August.

Adrozek proceeds to make multiple changes to browser settings and security controls so as to install malicious add-ons that masquerade as genuine by repurposing the IDs of legitimate extensions.null

Although modern browsers have integrity checks to prevent tampering, the malware cleverly disables the feature, thus allowing the attackers to circumvent security defenses and exploit the extensions to fetch extra scripts from remote servers to inject bogus advertisements and gain revenue by driving traffic to these fraudulent ad pages.

“Adrozek shows that even threats that are not thought of as urgent or critical are increasingly becoming more complex,” The main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allows attackers to gain a strong foothold on a device. The addition of credential theft behavior shows that attackers can expand their objectives to take advantage of the access they’re able to gain.