tech news 

Adrozek, the browser malware that injects links and advertisements

Savior

Discovered a new malware, or rather, a new family of malware: it is called Adrozek and it infects browsers using advertisements .

This was announced by the team of Microsoft security researchers, who a few days ago released an official statement on the functioning of the malware . The software affects the main browsers and has been active since last May.

Adrozek: the malware that terrifies browsers

Microsoft's warning is about a new "strain" of malware that introduces unsolicited advertisements into search results.

Adrozek malware, via malicious extensions, modifies DLL specifications and settings to modify search engine results and inject advertisements , in the form of unofficial and insecure links.

Searches for a browser infected with the Adrozek malware. Credits: Microsoft
Searches for a browser infected with the Adrozek malware. Credits: Microsoft

If a user clicks on one of the links, he ends up on a page "affiliated" to the creators of the malware, who earn thanks to the traffic generated for the sponsors. In the case of Adrozek, the threat affects several browsers, thus reaching more users. In fact , we find Edge, Chrome, Firefox and Yandex, while Safari seems to be immune .

Behind the malware and affiliates are 159 domains, each comprising 17,300 unique advertisment URLs. Malicious software has been around since May 2020 and peaked in August, controlling more than 30,000 devices worldwide. Adrozek has spread more to Europe and southern Asia.

Adrozek's diffusion map. Credits: Microsoft
Adrozek's diffusion map. Credits: Microsoft

How it affects Adrozek

The team of Microsoft researchers has announced that Adrozek is installed via drive-by download, i.e. without the user's consent and without clicking any download button. In some cases the malware is downloaded when you click on a security alert, while most of the time it is enough to browse a site to get infected, without taking any action.

The malware mainly acts on the browser's default extensions, adding malicious scripts that, by connecting to the attacker's server, download the scripts responsible for injecting the advertisements in place of the main results.

Browser extensions before and after the attack. Credits: Microsoft
Browser extensions before and after the attack. Credits: Microsoft

DLL libraries are also affected: for example, on Edge (and all Chromium-based browsers) malware modifies the MsEdge.dll and disables security checks on browser preference files . These files contain user settings, sensitive data, and search preferences for the home page and default engine.

On Firefox the problem is also extended to the credentials: Adrozek is in fact able to steal the information of the logged in user thanks to an additional .exe file and send them to the attacker. The malware searches for keywords such as encryptedUsername and encryptedPassword , identifies where they are and through the PK11SDR_Decrypt () function decrypts them and sends them to the hacker's server.

The file containing the credentials stolen from the user. Credit: Microsoft
The file containing the credentials stolen from the user. Credit: Microsoft

Adrozek can also modify the browser's automatic update policies in order to block updates. Updating your browser means eliminating the malware and the threat.

How to protect yourself

If you have been attacked by malware, the first thing to do is to reinstall your browser and delete any dubious installation files from your PC.

To prevent the spread of Adrozek, however, the same rules always apply: do not install unofficial software, do not click on suspicious links or alerts or on dubious advertisements, and have active computer protection software.

The article Adrozek, browser malware that injects links and advertisements, comes from Tech CuE .