Microsoft has raised the alarm today about a new malware strain that infects users’ devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages.
Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day.
But in a report today, the Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Microsoft researchers said that between May and September 2020, they observed “hundreds of thousands” of Adrozek detections all over the globe.
Based on internal telemetry, the highest concentration of victims appears to be located in Europe, followed by South and Southeast Asia.
How Adrozek spreads and works
Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software.
The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.
Once persistence is assured, the malware will look for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, or the Yandex Browser.
If any of these browsers are found on infected hosts, the malware will attempt to force-install an extension by modifying the browser’s AppData folders.
To make sure the browser’s security features don’t kick in and detect unauthorized modifications, Adrozek also modifies some of the browsers’ DLL files to change browser settings and disable security features.
Modifications performed by Adrozek include:
- Disabling browser updates
- Disabling file integrity checks
- Disabling the Safe Browsing feature
- Registering and activating the extension they added in a previous step
- Allowing their malicious…