Cyberattacks have become rampant over the past few months, especially now that people are relying mostly on digital services in light of the ongoing pandemic. Now, Microsoft has shared details about a new malware campaign targeting major browsers such as Google Chrome, Microsoft Edge, Yandex, and Mozilla Firefox.
The "Adrozek" family of browser modifiers has been active since May 2020, injecting advertisements into search results. These malware-inserted ads lead users to other webpages which pay the attackers by amount of traffic received on their website via Adrozek. Microsoft noted that in August 2020, over 30,000 devices were infected by the malware.
While this type of attack is not new, Adrozek is comparatively sophisticated because it persists in the machine, and can steal credentials as well. Although malware attacks by this family have been noted across the globe, they have focused very strongly on Europe, South Asia, Southeast Asia so far.
Microsoft has highlighted that Adrozek is distributed via drive-by downloads from 159 domains hosting hundreds of thousands of unique URLs. Using polymorphism, these spread unique malware samples which are difficult to detect. Furthermore, the domain infrastructure is very dynamic with some domains being shut down within days with others staying up for months.
The Redmond tech giant has described Adrozek's attack chain and methodology as follows:
As can be seen in the diagram above, the installer from the domain puts a second .exe installer in the %temp% folder. This second installer is then responsible for dropping the main payload under various file names in the Program Files folder.
After Adrozek is installed, it starts making modifications to browser components. This involves making changes to the browser extensions, such as the default "Chrome Media Router" extension in Chrome's case. While the attack pattern on each browser is different, the aim is the same, that is, to use the IDs of reliable extensions and behave as if they are legitimate.
Adrozek installs malware on these extensions, which then procure additional malicious scripts by sending requests to the attacker's server. Apart from requesting these scripts which inject ads, it also sends information about the infected device to the server.
Another portion of the attack chain includes modifying browser DLLs across all browsers, turning off some important security controls. For those unaware, the Preferences and Secure Preferences files are used for security settings by browsers and any unauthorized attempts to this are blocked using integrity checks. Adrozek bypasses this by modifying the function that does the integrity check on these files, nullifying it altogether. The malware is then free to modify security settings without the user being made aware and even turns off automatic updates.
In order to ensure persistence, Adrozek does the following, as described by Microsoft:
In addition to modifying browser setting and components, Adrozek also changes several systems settings to have even more control of the compromised device. It stores its configuration parameters at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\. The ‘tag’ and ‘did’ entries contain the command-line arguments that it uses to launch the main payload. More recent variants of Adrozek use random characters instead of ‘tag’ or ‘did’. To maintain persistence, the malware creates a service named “Main Service”.
With all this done, the malware is free to inject relevant ads into search results and get paid by affiliate websites. Microsoft has noted that while none of these ads have pointed to other malicious websites, this situation can easily change at the whim of the attacker.
While this is all when it comes to Chrome, Edge, and Yandex, Adrozek does launch another attack via Firefox in order to steal credentials. It does this by finding the login.json file in the Firefox directory. This file contains encrypted passwords, usernames, and browser history. The malware decrypts them using the built-in function in Firefox' library and also sends it over to the attacker's server. This technique is not common in other browser modifiers and makes Adrozek particularly dangerous.
Microsoft has highlighted that while the main purpose of this malware family so far has been to insert ads into search results, given the control it manages to establish over a machine as part of its sophisticated attack chain, this can change anytime and become even more dangerous. This is apparent from the credential theft activity Adrozek already carries out on Firefox.
While Microsoft Defender now detects and blocks Adrozek using machine learning capabilities, the company has stated that victims of the attack should reinstall their browsers and educate themselves about the dangers of downloading from untrusted websites. Microsoft has also encouraged users to utilize solutions such as URL filtering offered by Smartscreen on the Edge browser. Meanwhile, organizations have been recommended to only allow authorized apps and services by making use of enterprise-grade solutions available on Microsoft Edge.