Major Windows Browsers Hit with Widespread Malware Attack Infecting Millions of Devices

Named Adrozek, the malware hijacks browsers' ads and replace with affiliate links besides stealing user credentials that can be used to get into online banking

Thousands of malwares infect millions of devices every month. While most of them are detected by antivirus software, some slip through, wreaking havoc. Microsoft's cybersecurity team has detected one such malware campaign named Adrozek that has infected millions of users since May 2020. The malware targets four major browsers — Google Chrome, Microsoft Edge, Mozilla Firefox and Yandex — to inject ads.

Adrozek malware is an adware that bombards users with ads by modifying DLLs in browsers and changes their settings. Once infected, the malware takes over the browsers' search and replace the search results with affiliate program links. To have a wide reach, the actors behind Adrozek have a distribution network of 159 domains each of which hosts around 17,300 URLs. Each of the URLs on the other hand has around 15,300 malware payloads. According to Microsoft, the malware campaign has already infected thousands of devices in Europe, Southeast Asia and South Asia.

MosaicRegressor malware
Adrozek malware not only bombards users with ad but also steal user credentials (representational image) Pixabay

Not Just Adware

While adware is not as harmful as other malware, Adrozek is special. Apart from ad injection, it steals user credentials and downloads random executable (.exe) files to include device information and active username. In Firefox, Adrozek locates user data by searching for specific keywords such as "encryptedUsername and encryptedPassword."

"It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers," Microsoft researchers added in a blog post.

The malware is crafted to be a 'drive-by' download. In this, users unintentionally download a software setup file from an unknown source. The malware masks it into legitimate software. Researchers found QuickAudio.exe and Audiolava.exe the most associated downloaded file in the campaign. Once installed, the malware drops a file in the Windows temporary folder and then it downloads the main payload in the program files directory. It then modifies browser settings to display malicious ads for affiliated links and steals user credentials including passwords.

1 of 2

"This is a great example of how technically advanced modern attackers are. While we often hear about data breaches and fraudulent wire transfers, campaigns like this quietly run in the background generating income by redirecting search results," Erich Kron a security awareness advocate from KnowBe4 Inc, told SiliconANGLE.

What Should You Do?

Such malware not only affects the users but also advertisers whose ads are being used for such campaigns. As the malware also steals user credentials, users can be targeted with credential surfing attacks to log into banking and shopping websites.

"In many cases, it's likely that the advertisers are unaware that malware is being used to increase the traffic. The advertisers are losing money, as they are presenting ads to possibly uninterested people while paying the cybercriminals," Kron said.

How Adrozek infects a device Microsoft

If you come across shady ads on your browsers, Microsoft advises uninstalling the browser and then reinstalling it. Furthermore, changing all passwords would be ideal to avoid future attacks.

"Attackers love to have access to usernames and passwords that they will then use in credential stuffing attacks on other accounts such as banking or shopping websites. These are successful because people often reuse the same password for many different accounts," Kron added.

Related topics : Cybersecurity