A new malware strain has been spreading to hundreds of thousands of Windows PCs in an effort to inject unauthorized ads into users’ search results, according to Microsoft.
The company has been tracking “Adrozek,” a malware family capable of modifying multiple browsers including Google’s Chrome, Microsoft’s Edge and Mozilla’s Firefox in order to insert the ads into search result pages.
“At its peak in August, the threat was observed on over 30,000 devices every day,” Microsoft warned in a blog post on Thursday.
Inserting the ads into your search results is certainly annoying. But the real threat is how the malware can also steal login credentials from the Firefox browser, and potentially give hackers a launching pad for more damaging crimes.
Adrozek works by modifying a browser’s Dynamic Link Libraries or DLL files to change the settings, including turning off the security safeguards and the automatic updates. The result can place links to ads alongside legitimate ads, as the example below shows.
“The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages,” Microsoft said. “The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.”
To deliver the malware, the hackers have been resorting to drive-by downloads. This can occur when a user clicks on a malicious link or visits a website that’s been tampered with. The PC will trigger the malware to download, which can sometimes install itself on the computer by exploiting a software vulnerability.
Hence, it’s a good idea to always keep your browser up to date. In other cases, the user will install the malware from a drive-by download, believing it to be a safe program.
In this case, Adrozek will drop an .exe file in the PC’s “temp” folder. The .exe file will then deliver the main malware payload in the “Programs Files” folder using a file name such as “Audiolava.exe, QuickAudio.exe, and converter.exe,” Microsoft said.
The company tracked Adrozek’s distribution to 159 unique domains, which hosted tens of thousands of URLs to try and spread the malware.
“In total, from May to September 2020, we recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with heavy concentration in Europe and in South Asia and Southeast Asia,” Microsoft added. “As this campaign is ongoing, this infrastructure is bound to expand even further.
Although the malware is so far aimed at inserting unauthorized ads, Microsoft is concerned Adrozek could one day be used for more malicious crimes, such as redirecting users to scam websites. The good news is that the company’s built-in Windows Defender antivirus can detect and block Adrozek.
“End users who find this threat on their devices are advised to re-install their browsers,” the company added.