A New Malware Campaign Silently Injects Ads Into Search Results Pages
The Microsoft 365 Defender Research Team recently reported on Adrozek, a relatively new widespread malware campaign that infects users’ devices and browsers and silently injects ads into search results pages. This malware campaign has been active since at least May of 2020 and the Microsoft 365 Defender Research Team says that between May and September of this year, they observed “hundreds of thousands” of Adrozek detections all around the world.
According to Microsoft and ZDNet, this malware is installed when users are redirected from legitimate sites to unofficial domains and they are duped into installing the malware. Adrozek will then find the browsers that are installed on the local machine and attempts to force install a browser extension through the AppData folders.
Some of the changes made by Adrozek include disabling browser updates, disabling file integrity checks, disabling the Safe Browsing feature, registering and activating the extension they added in a previous step, allowing their malicious extension to run in incognito mode, allowing the extension to run without obtaining the appropriate permissions, hiding the extension from the toolbar, modifying the browser’s default home page, and modifying the browser’s default search engine.
By making these changes Adrozek is able to inject ads into search result pages that allow the malicious actors to earn revenue through ad and traffic referral programs.
As of now, Microsoft is reporting that, on Firefox, Adrozek extracting stored credentials and uploading the data to the malicious actor’s servers.
Below is an image, courtesy of Microsoft, depicting the difference between search results on an unaffected machine compared to an Adrozek infected machine.
Due to the advanced use of polymorphism to modify the malware’s distribution infrastructure, Microsoft anticipates this extremely sophisticated operation to not only continue, but to grow in the coming months.
If you are noticing suspicious search results with a large number of ads on your browser, Microsoft has advised end users to re-install their browsers.
You can read the Microsoft 365 Defender Research Team report here: Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers – Microsoft Security
ZDNet also provided an article on Adrozek and the Microsoft 365 Defender Research Team report that can be read here: Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox | ZDNet