Microsoft 365 Defender Research Team exposes Adrozek Malware Hijacking Firefox, Chrome, Yandex, Edge, Browser

Microsoft 365 Defender Research Team exposes Adrozek Malware a recent campaign impacting popular web browsers that Secretly injects malware-infested ads into search results to earn money via affiliate programming advertising.


Microsoft 365 Defender Research Team tracked “expansive, dynamic attacker infrastructure” include 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average. In total, from May to September 2020.


Recent blog post shared by the Microsoft 365 Defender Research team has notified users about a new malware that has been pushing browsers such as Google Chrome, Firefox, Microsoft Edge, and Yandex that Secretly injects malware-infested ads into search results to earn money via affiliate programming advertising in this campaign Adrozek Malware aims to insert additional, unauthorized ads on top of like genuine ads performed on a search engine in search results pages, pointing users to click on these advertisements inadvertently.


Microsoft said that resolute browser alterant malware has been perceived since May in 2020, It has been attacking browsers on over 30,000 devices daily at a standard in august 2020.

Based on internal telemetry, the highest concentration of victims appears to be located in Europe, South Asia, and Southeast Asia but may spread to other geographies soon as the campaign is still active.

Installation of Adrozek Malware


Attackers use this sprawling infrastructure to distribute hundreds of thousands of unique Adrozek installer samples. Each of these files is heavily obscured and uses a unique file name that follows this format: setup__.exe.

Image: Microsoft

When run, the installer drops a .exe file with a random file name in the %temp% folder. This file in drops the main payload in the Program Files folder using a file name that makes it look like legitimate audio-related software. We have observed the malware use various names like Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed like a usual program that can be accessed through Settings>Apps & features and registered as a service with the same name.


Browser DLLs as per Microsoft

The malware also tampers with certain browser DLLs. For instance, on Microsoft Edge, it modifies MsEdge.dll to turn off security controls that are crucial for detecting any changes in the Secure Preferences file.

Image: Microsoft

But if this wasn’t bad enough, Microsoft announces that on Firefox, Adrozek also contains a secondary feature that extracts credentials from the browser and uploads the data to the attacker’s servers