Dangerous Adrozek Malware Campaign Persists

Hacker working on two computers

It seems that there is no end in sight for malicious internet entities. Their destructive intents to disrupt communication, destabilize businesses, and attempt to steal data continue. Cybercrime has seen a rather significant recent surge, due to the convenience that 2020 brings for targeting businesses and individuals.

Users or organizations with malicious intents have emphasized their mark on this unfortunate year. The methods they use range from malware, spyware, ransomware to even targetting Covid-19 supply chains.

Now, there is a dangerous ongoing malware campaign called Adrozek threatening to target users and steal data across multiple browser platforms.

A Sophisticated Malware Campaign

Microsoft released a report less than 24 hours ago, warning that there is an ongoing and very persistent malware campaign that effectively pushes ads containing malware via search results.

The Microsoft 365 Defender Research team stated that the objective of the campaign is to inject an abundance of affiliate links into users’ search results, making this a form of adware. Consequently, the goal is to reach as many people as possible and to profit from it.

Microsoft named this type of malicious code, Adrozek. This type of code belongs to a group of browser modifiers. The threat injects ads into search engine results pages (SERPs). Adrozek is a multi-browser cross-platform malware campaign that affects; Yandex Browser, Google Chrome, Microsoft Edge as well as Mozilla Firefox, and possibly more.

Browser modifiers are nothing new, but what makes Adrozek different is that it can act on multiple browsers while constantly extracting credentials. It will also crawl into the small cracks in the targetted device’s system architecture.

Further Information About Adrozek

According to the official Microsoft report, the Adrozek malware is believed to have been active since May 2020, having peaked somewhere in August. More than 30,000 devices were being affected daily at the time of the peak.

Browser Modification

The malware installs browser extensions, changes browser settings, and modifies DLL’s to place scam ads in front of authentic ads when a user searches on a search engine.  It is also able to mutate and evolve, which makes it potentially very dangerous.

Theft of Credentials

Adrozek is very dangerous not only because it is ongoing and very persistent, but because it can steal credentials and extract data to malicious servers like it is already doing on Mozilla Firefox.

Malicious EXE Files

Microsoft has confirmed that the malware includes malicious installers such as ‘quickaudio.exe’, ‘converter.exe’, and ‘audiolava.exe’ that, once installed, hijack the browser on the machine and make multiple changes.

Modifying System Settings

Adrozek doesn’t stop there. While it messes with the browser settings, it delves into system settings and parameters to gain control of the device where it stores its own registry keys. To add to the persistence, it also creates a service for itself that can run in the background.

Large-Scale Attack Operation

Adrozek is de facto a big operation operating throughout the globe, hosting thousands of URLs, hundreds of domains, and tens of thousands of unique malware samples. The concentration is highest in areas of Asia and Europe, at the moment.

How To Stop Adrozek

The image examples on the official report page are crucial to be able to confirm if a browser is infected. Microsoft has also included an attack distribution map, which they say is growing every day.

They have stated that to effectively protect from such advanced campaigns it is important that behavior-based detection and visibility into the entire attack chain are ensured.

Using Microsoft Defender 365 which is already trained to fight Adrozek, is one suggestion. If the user is using Edge, using Smartscreen is a good idea. One should avoid any ‘drive-by‘ (hidden) downloads, so users must keep all software up to date.

If the malware is found, it is advisable to re-install the browser, install anti-malware software, and always keep protection software updated. Finally, a user should always check the legitimacy of what they are downloading.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.