There is a new genre of malware circulating through the web. This new malware group specifically attacks browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Yandex by injecting them with malicious extensions. Mircosoft has named this new malware genre which modifies browser settings as Adrozek. This new malware group was first discovered way back in May 2020. Later in August 2020, it was found that the malware was infecting about 30,000 devices per day.
What does it do?
The Adrozek malware latches onto browsers as a legitimate extension which is normally undetected by users. The malware than silently changes browser settings (including security features) along with DLL files to insert malicious ads into the websites related to the information searched by the user. These ads by the malware often lead to affiliated websites. The attackers earn through affiliate advertising programs, which pay by the amount of traffic referred to sponsored affiliated pages. These ads are often placed on real ads to make the users confused. Sometimes these ads lead users to phishing websites when clicked upon.
How does it get installed unnoticed?
As per a report by Microsoft, the new malware, Adrozek gets installed on the PC via drive-by download process. The malware file has a standard .exe format just like any other normal installer file. So, the user unsuspectingly installs the malware which is hiding underneath the disguise of a genuine program. At first, the installer drops a randomly named .exe file in the temporary folder which in return installs the main malware in the Program files folder. The malware program which finally gets installed in the Program files folder disguises itself as legitimate audio-related software and carries names likes converter.exe, Audiolava.exe, or QuickAudio.exe. These newly installed malicious files get themselves latched on to browsers in the disguise of legitimate extensions (it uses IDs of legitimate extensions).
In some cases, it has been found that the Adrozek malware even stops browsers from getting the latest updates in order to stop the security patch updates from being installed.
How does it go unnoticed by antiviruses?
The Adrozek malware gets installed like any other normal program which in return makes it available to access via Apps & features settings. It even gets registered as a Windows service with the same name. These tricks give the malware a perfect disguise as any other normal program. This makes it almost impossible for normal antiviruses to detect it.
How to tackle this malware?
As of now, the malware has only been found to infect PC’s running Windows. So, Microsoft has officially instructed to use antivirus solutions like the Microsoft Defender Antivirus or the Microsoft 365 Defender for Window’s Enterprise versions, as the antivirus has a built-in endpoint protection solution, which uses behaviour-based, machine learning-power, making it suitable to block the Adrozek malware genre.
From May to September, Microsoft recorded hundreds of thousands of encounters of the Adrozek malware globally. The company tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which, in turn, host an average of over 15,300 distinct, polymorphic malware samples.
That will be all for now folks. Make sure to stay tuned to this website for more updates.