On Thursday December 10, 2020, Microsoft released an ongoing campaign impacting popular web browsers that possibly injects malware-infested ads into search results. A malware campaign that showed up in August of 2020 was observed on more than 30,000 devices each day. Since its release date, this malware has been detected in locations such as Europe and Southeast Asia.
According to Microsoft, Adrozek is an expansive, dynamic attacker infrastructure. This ongoing campaign has so far used 159 domains to host "an average of 17,300 unique URLs" that delivered over 15,300 polymorphic malware samples to compromised devices leading to hundreds of thousands of samples being deployed on infected devices since May.
The users are served with an executable that gets saved in the PC’s temp folder that develops and installs the main payload while being disguised as an audio software into program files. After upload, Adrozek will add malicious scripts injecting ads to the extensions targeted for each of the browsers it compromises. This malware will affect each browser differently. Adrozek turns off security controls on Microsoft Edge and other Chromium-based browsers, however, when utilizing Firefox, it steals encrypted users credentials from their profiles and later decrypts it and sends it to operators.
Moderations performed by Adrozek:
· Disabling browser updates
· Disabling file integrity checks
· Disabling the Safe Browsing feature
· Registering and activating the extension they added in a previous step
· Allowing their malicious extension to run in incognito mode
· Allowing the extension to run without obtaining the appropriate permissions
· Hiding the extension from the toolbar
· Modifying the browser's default home page
· Modifying the browser's default search engine
Microsoft stated that “with this additional function, Adrozek sets itself apart from other browser modifiers and demonstrates that there’s no such thing as low-priority or non-urgent threats”. While this malware’s main goal is to introduce ads and refer traffic to certain websites, the attack chain involves highly developed behavior that allows attackers to gain a strong foothold on a device.
The E-ISAC is providing this information for member awareness. If you have any questions or comments, please reach out to us at operations[@]eisac.com [mailto:operations[@]eisac.com] or at 202-790-6000. Members and partners are encouraged to share information via the E-ISAC Watch at firstname.lastname@example.org, posting appropriate information on the E-ISAC Portal, or calling 202-790-6000 (24/7).
1. hXXps://www.zdnet.com/article/microsoft-exposes-adrozek-malware-that-hijacks-chrome-edge-and-firefox/?&web_view=true [hXXps://www.zdnet.com/article/microsoft-exposes-adrozek-malware-that-hijacks-chrome-edge-and-firefox/?&web_view=true]
3. hXXps://www.fudzilla.com/news/52037-microsoft-warns-of-new-adrozek-malware#:~:text=Targets%20all%20the%20major%20browsers&text=Dubbed%20%22Adrozek%22%20the%20browser%20modifiers,on%20their%20website%20via%20Adrozek [hXXps://www.fudzilla.com/news/52037-microsoft-warns-of-new-adrozek-malware#:~:text=Targets%20all%20the%20major%20browsers&text=Dubbed%20%22Adrozek%22%20the%20browser%20modifiers,on%20their%20website%20via%20Adrozek].
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DOE Complex
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Other (inc. local/state commissions)
- Trade Organizations
- Watch Floor