The Microsoft Defender Research Team has identified a new malware campaign that targets the most popular web browsers to generate ad revenue for malicious actors. While it may seem harmless to the user, the malware’s sophisticated behavior indicates it could be used to gain deeper access to the data on your Windows device.
Microsoft issued a warning this week of a widespread malware campaign that consists of hijacking the most popular web browsers on tens of thousands of devices every day. Attackers are able to make silent changes to users’ computers to inject ads in search results and extract a significant amount of revenue.
Collectively, this family of browser exploits is called “Adrozek” and was first observed in May.
The attackers are using over a hundred domain names hosting an average of 17,300 URLs. Microsoft researchers say they’ve found more that 15,300 unique malware samples. In just five months, they recorded hundreds of thousands of detections of Adrozek across the globe, particularly in Europe, South Asia, and Southeast Asia.
The methods used by the attackers aren’t new, but they’ve become more sophisticated as of late and now they can affect multiple browsers at the same time, including Google Chrome, Microsoft Edge, Mozilla Firefox, and the Yandex Browser. Adrozek operates first by adding browser extensions and modifying specific DLL files of your browser, so that attackers can gain the privileges to change settings. This allows them to insert additional ads on top of legitimate ones into web pages you visit.
Adrozek is particularly effective on search engines like Google where attackers are able to target users based on the keywords they search for. As seen on the image above, a user will typically see search results populated by several affiliate links at the top. The more people that click on these links, the more money the attackers make since they get paid by the amount of traffic they can bring to those sponsored pages.
Microsoft explains that Adrozek could easily be used to do more damage to the target PCs by injecting additional malicious payloads and exfiltrating your website credentials. The whole infrastructure that enables the campaign dynamically changes over time, while the domains themselves are improved to look more legitimate.
If you notice the above behavior on your system, one proposed solution is to simply reinstall the browsers you use and learn more about how to prevent malware infections like this one.