A new widespread malware attack targets Chrome, Firefox, Edge, and Yandex users


Posts: 1,046   +15
Staff member
A hot potato: The Microsoft Defender Research Team has identified a new malware campaign that targets the most popular web browsers to generate ad revenue for malicious actors. While it may seem harmless to the user, the malware's sophisticated behavior indicates it could be used to gain deeper access to the data on your Windows device.

Microsoft issued a warning this week of a widespread malware campaign that consists of hijacking the most popular web browsers on tens of thousands of devices every day. Attackers are able to make silent changes to users' computers to inject ads in search results and extract a significant amount of revenue.

Collectively, this family of browser exploits is called "Adrozek" and was first observed in May.

The attackers are using over a hundred domain names hosting an average of 17,300 URLs. Microsoft researchers say they've found more that 15,300 unique malware samples. In just five months, they recorded hundreds of thousands of detections of Adrozek across the globe, particularly in Europe, South Asia, and Southeast Asia.

The methods used by the attackers aren't new, but they've become more sophisticated as of late and now they can affect multiple browsers at the same time, including Google Chrome, Microsoft Edge, Mozilla Firefox, and the Yandex Browser. Adrozek operates first by adding browser extensions and modifying specific DLL files of your browser, so that attackers can gain the privileges to change settings. This allows them to insert additional ads on top of legitimate ones into web pages you visit.

Adrozek is particularly effective on search engines like Google where attackers are able to target users based on the keywords they search for. As seen on the image above, a user will typically see search results populated by several affiliate links at the top. The more people that click on these links, the more money the attackers make since they get paid by the amount of traffic they can bring to those sponsored pages.

Microsoft explains that Adrozek could easily be used to do more damage to the target PCs by injecting additional malicious payloads and exfiltrating your website credentials. The whole infrastructure that enables the campaign dynamically changes over time, while the domains themselves are improved to look more legitimate.

If you notice the above behavior on your system, one proposed solution is to simply reinstall the browsers you use and learn more about how to prevent malware infections like this one.

Permalink to story.



Posts: 243   +450
Once dropped and installed on target systems via drive-by downloads, Adrozek proceeds to make multiple changes to browser settings and security controls so as to install malicious add-ons that masquerade as genuine by repurposing the IDs of legitimate extensions.

Although modern browsers have integrity checks to prevent tampering, the malware cleverly disables the feature, thus allowing the attackers to circumvent security defenses and exploit the extensions to fetch extra scripts from remote servers to inject bogus advertisements and gain revenue by driving traffic to these fraudulent ad pages.

What's more, Adrozek goes one step further on Mozilla Firefox to carry out credential theft and exfiltrate the data to attacker-controlled servers.

"And while the malware's main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allows attackers to gain a strong foothold on a device. The addition of credential theft behavior shows that attackers can expand their objectives to take advantage of the access they're able to gain.

No Longer Human

Posts: 48   +64
So using IE would be the safe alternative in this case ?

Joke aside, did MS update Defender to remove this threat ?
I skimmed tha MS article linked to and as I re-read your question I'm not actually sure it removes it, the page states " Microsoft Defender Antivirus, the built-in endpoint protection solution on Windows 10, blocks this threat using behavior-based, machine learning-powered protections. For enterprises, Microsoft 365 Defender provides deep visibility into malicious behaviors."
The page does however provide an in depth explanation (over my head mostly), but there are things to check, the threat starts a Service, modifies the registry, and for Edge it showed where some 'iffy' files might be found.It doees mention Mozilla and Chrome, but I didn't read that.
So can we think of any other examples of unwanted behaviour where a search engine has been "corrupted" to show results that will pay the culprits more money by clicking their prioritised suggestions?

Avro Arrow

Posts: 1,989   +2,339
TechSpot Elite
Are the like of Opera and Vivaldi affected aswell seeing as they both use Chromium now
I'd say probably. If both Chrome and Edge are affected, then it's probably a safe bet that all Chromium-based browsers are vulnerable. Opera and Vivaldi users should operate under the assumption that they're not safe either.