The Microsoft Defender research team has identified a new malware campaign targeting the most popular web browsers to generate ad revenue for malicious actors. While this may seem harmless to the user, the sophisticated behavior of the malware suggests that it could be used to gain deeper access to the data on your Windows device.
Microsoft warned this week of a widespread malware campaign that hijacks the most popular web browsers on tens of thousands of devices every day. Attackers could silently modify users’ computers to add ads to search results and generate significant revenue.
Generally, this family of browser exploits is called “Adrozek”, which was first observed in May.
Malware attack reported across the globe
The attackers are using more than 100 domain names that host an average of 17,300 URLs. Microsoft researchers say they have found more than 15,300 unique malware samples. In just five months, they recorded hundreds of thousands of Adrozek detections around the world, especially in Europe, South Asia, and Southeast Asia.
The methods used by attackers are not new, but they have become more sophisticated. Now, they can affect multiple browsers at once, including Google Chrome, Microsoft Edge, Mozilla Firefox, and the Yandex browser.
How Adrozek malware works?
Adrozek starts by adding browser extensions and modifying some DLL files in your browser so that attackers can get access to change the settings. This lets them insert additional advertisements in addition to legitimate advertisements on the web pages you visit.
Adrozek is particularly effective on search engines like Google where attackers are able to target users based on the keywords they search for. As seen on the image above, a user will typically see search results populated by several affiliate links at the top. The more people click on these links, the more money the attackers make since they get paid by the amount of traffic they can bring to those sponsored pages.
Microsoft explains that Adrozek can easily be used to inflict further damage on target PCs by injecting an additional malicious payload and leaking your website credentials. The entire infrastructure that makes the campaign possible changes dynamically over time as the domains themselves are improved to appear more legitimate.
What you should do?
If you notice the above behavior on your system, one proposed solution is to simply reinstall the browsers you use and learn more about how to prevent malware infections like this one.