Microsoft on Thursday revealed that Google Chrome, Firefox, Microsoft Edge and Yandex browsers have been affected by ongoing malware, which is designed to add ads to search results and expand malware. The newly discovered malware family, known as Adrozek, has been scaling since at least May this year, with the August attack peaking, with more than 30,000 devices being detected every day.
From May to September, Microsoft recorded a meeting of hundreds of thousands of malware globally, Microsoft said. The company has tracked down 159 unique domain names, each with an average address of 17,300, which in turn receives an average of more than 15,300 different, multi-faceted malware samples.
The ultimate goal of the new malware campaign is to guide users to relevant pages by providing ads that include malware in search results. However, to begin with, malicious software silently expands malicious browsers and changes the browser settings to advertise on websites – on top of the legitimate ads of most search engines. To close security controls, MsEdge.dll in Microsoft Edge is required to modify the DLL on each browser.
The Microsoft 365 Propaganda Research Group said in a blog post that although netizens had abused related programs, the campaign used some malicious software that affected many browsers. Malicious software may also remove your website license, posing additional risk to your users.
Unlike Adrozek’s previous malware threats, it is installed on “driver download” devices and includes the standard format of the setup_.exe installation file. When executed, the installer throws the .exe file into a temporary folder with a random file name, which reduces the main load on the folder. This payload is similar to legitimate audio-related software and includes names such as Audiolava.exe, QuickAudio.exe, or converter.exe.
The researchers found that the malware was installed as usual and could be accessed through app and feature settings. It is registered as a Windows service of the same name. These methods may prevent him from catching common antivirus software.
However, like other malicious software, Adrozek is making changes to some browser extensions. The Microsoft team specifically mentioned this in Google Chrome. It usually modifies the default Chrome Media Router extension. Similarly, Microsoft Edge and Yandex use legally extended IDs such as “Radioplayer”.
“Although each browser targets different extensions, malicious software adds malware like this extension,” Microsoft said in a research blog.
Malicious files help attackers establish links with their servers and help them place ads on search results.
“In the past, browser modifiers were as busy as browsers and updated the security trend accordingly. “Adrozek has taken another step forward and improved its ability to verify integrity.”
Adrozek has also been found to be able to prevent browser updates from being updated with the latest version by adding an update lock policy. In addition, it can modify the system settings and add additional control over the damaged device.
In Europe, South Asia and Southeast Asia, Adrozek concentrations were even heavier, the researchers said. However, as the event is still active, it may expand to other geographical locations over time.
Microsoft recommends that users install antivirus solutions, such as Microsoft’s antivirus software, including built-in antivirus solutions, to prevent machine learning from malicious families such as Adrozek.
In other words, the scope of the latest malicious software seems to be limited to Windows devices, as there is no discovery to show its impact on macOS or Linux machines.
Earlier this year, Microsoft released an expansion list from its Edge Add-ons store, which included ads for Google and Bing search results. Google has taken a similar approach in the Chrome Web Store, encouraging silent attackers to generate revenue for ad search results. However, malicious software such as Adrozek seems to require a stricter approach to attracting some extensions in online stores.