According to Microsoft, a persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers—Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox—exposing the attackers’ intent to reach as many Internet users as possible.
Microsoft Report: https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/; More information: https://arstechnica.com/information-technology/2020/12/ongoing-malware-attacks-are-hitting-users-of-4-major-browsers/
Microsoft didn\’t specify what interactions are required for Adrozek infections to occur, so it\’s difficult to give practical advice on how to prevent it. Microsoft mentions that infections occur through \”drive by downloads\”, which is not very specific. That being said, a lot of drive-by downloads occur through malicious scripts, so a script blocker extension like NoScript could help protect your browser. Don\’t click on links or attachments in unsolicited emails, messages, or advertisements.
Although Adrozek is mainly used for adware, its sophisticated capabilities mean it could be modified for much more serious attacks. If you think you\’re infected, uninstall and reinstall your web browser and run an antivirus scan. Uninstall the malicious programs or perform a system restore. If you\’re using Firefox, you should also change all the passwords stored in your browser.
Unfortunately, we don\’t know what, if any, user actions are required to enable these infections. However, I can\’t stress enough to users to never install an app or extension simply because a website informs you that your machine needs an update to Flash Player or some other app, extension, or plug-in.
It appears that since this malicious payload is in a \”.exe\” file, only Windows users are affected. This makes sense, as macOS and Linux users amount to only a fraction of the numbers of Windows users. However, this doesn\’t make it any less important for Mac and Linux users to not follow safe computing guidelines such as I mentioned above.
This is a great example of how technically advanced modern attackers are. While we often hear about data breaches and fraudulent wire transfers, campaigns like this quietly run in the background generating income by redirecting search results. In many cases, it’s likely that the advertisers are unaware that malware is being used to increase this traffic. The advertisers are losing money, as they are presenting ads to possibly uninterested people, while paying the cybercriminals.
The addition of credential theft from the Firefox browser is a valuable tool. Attackers love to have access to usernames and passwords that they will then use in credential stuffing attacks on other accounts such as banking or shopping websites. These are successful because people often reuse the same password for many different accounts.
To defend against this, users need to be educated about the dangers of installing software from untrusted websites, and the importance of password hygiene, including not reusing them across accounts.