Ad-scamming, login-stealing Windows malware is hitting Chrome, Edge, Firefox, Yandex browsers, says Microsoft
Sophisticated campaign has been going on for months, we're told
On Thursday Microsoft warned that there's an ongoing campaign to distribute malware that modifies web browsers to conduct credential theft and ad fraud.
Since at least May, 2020, unidentified cybercriminals have been distributing a family of browser modifiers dubbed Adrozek, Microsoft said. The code, which targets Google Chrome, Microsoft Edge, Mozilla Firefox, and Yandex Browser on Windows, mainly injects ads into search results pages.
"If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines," the Microsoft 365 Defender Research Team said its blog post.
"The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages."

Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm
READ MOREThe attackers make their money through participation in advertising affiliate programs, which pay for the online traffic referred to specific web pages. To date, these ads don't appear to point to sites hosting other malware, but Microsoft suggests that could change at any time.
In Firefox, Adrozek also scans the victim's device for stored user credentials and sends what it finds to the attacker.
Such attacks and tactics have been seen before, but according to Microsoft, the scale and complexity of the campaign, targeting multiple browsers via distributed infrastructure, shows cybercriminals becoming more sophisticated in their efforts.
Microsoft said it has detected 159 unique domains, each hosting an average of 17,300 unique URLS that each host more than 15,300 unique, polymorphic malware samples on average. Its systems measured hundreds of thousands of contacts with Adrozek malware, mainly in Europe, South Asia, and Southeast Asia. And the campaign is ongoing.
This distribution system offers up software for download that unwitting victims run. The installer drops a randomly named .exe file that installs a primary payload disguised as legitimate audio software in the Windows Program Files folder. The installed code then makes changes to various browser components and settings to enable ad injection and credential theft.
Adrozek also attempts to alter browser DLLs, such as MsEdge.dll in Microsoft Edge so changes to the Secure Preferences file won't be noticed. In Chromium-based browsers, it modifies a security-related hash integrity check used to prevent tampering. It also adds a policy to prevent the browsers it subverts from being updated.
Microsoft says that its Defender Antivirus, which ships with Windows 10, can defend against Adrozek. And it advises those who find the malware on their system to reinstall their browser. ®
Broader topics
Narrower topics
- AdBlock Plus
- App
- Audacity
- Authentication
- Azure
- Bing
- Black Hat
- BSoD
- Common Vulnerability Scoring System
- Cybercrime
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Database
- Data Breach
- Data Protection
- Data Theft
- DDoS
- Digital certificate
- Encryption
- Excel
- Exploit
- Firewall
- Hacker
- Hacking
- IDE
- Identity Theft
- Infosec
- Internet Explorer
- Kenna Security
- LibreOffice
- Map
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- NCSC
- .NET
- Office 365
- OpenOffice
- Outlook
- Palo Alto Networks
- Password
- Patch Tuesday
- Phishing
- Pluton
- Ransomware
- REvil
- SharePoint
- Skype
- Software License
- Spamming
- Spyware
- SQL Server
- Surveillance
- TLS
- Trojan
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Vulnerability
- Wannacry
- Web Browser
- Windows
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox
- Xbox 360
- Zero trust