A recent blog released from Microsoft states that they have identified an active malware campaign ongoing since at least May 2020.  This malware campaign is found in some of our most popular web browsers, such as Microsoft Edge, Google Chrome, Yandex Browser and Mozilla Firefox, affecting thousands of people.  In August 2020, the threat was at its peak, infecting about 30,000 devices every day.

So how does this attack work?

Cybercriminals are using malicious browser extensions on the web browsers stated above, using a browser modifier called Adrozek. Adrozek adds browser extensions, modifies a specific dynamic link library (DLL) per target browser, and changes the browser settings to insert several, unauthorized ads into web pages.

Cybercriminals aim for users searching for specific keywords, to click on the infected ads, which lead them to affiliated pages with malware. They earn money through advertising programs, which pay them for traffic they get to these ads.

The malware is installed on devices by a drive-by download. As defined by McAfee, drive-by download is a malicious code, that takes advantage of a browser or operating system that is out of date or has a security issue. It is called drive-by download, as you don’t need to click or accept any software to download this code, just visiting the web page is enough for the code to download.

From May to September 2020, Microsoft found 159 unique domains to distribute hundreds of thousands of malware samples. They also found that some domains were only available for one day, while others were active for longer periods.

The malware also affects browser DLL’s. On Microsoft Edge, it turns off security controls, which usually detect any changes in the Secure Preferences file. This also affects other browsers as well. It is able to store user setting and preferences, such as your home page and default search engine.

On Mozilla Firefox, Adrozek downloads a randomly named .exe file, which collects information and sends it to the cybercriminal. This file searches for specific keywords such as encryptedUsername and encryptedPassword to locate your personal data and steal your credentials.

What should we look out for?

As the attack is a code, it can be a bit tricky to identify it, but a good practice is only to download software from trusted sources. Microsoft has a comparison image (featured below) that shows us the difference between what search results on Google look like unaffected by Adrozek, and what it looks like affected.

The most visual difference is the layout. As part of Google’s service to you, they aim to provide you with the most relevant results to your search query. The image on the left, shows results for the keyword searched that the user would be interested in. The image on the right, has provided the user with a list of free downloads, which wasn’t searched for. Looking closer at this image, the URL’s for the free downloads have random domain names that indicate that these downloads are likely to be malicious.

How can we best protect ourselves from malware attacks?

• If you find Adrozek on your web browser, Microsoft advises that you re-install your browser.
• Get educated about preventing malware inflections and the risk of downloading and installing software from untrusted sources.
• Use a URL filtering solution such as:
  • McAfee AntiVirus
  • Norton AntiVirus
  • Kaspersky AntiVirus
• Configure security software to automatically download and install updates to have the latest software. As cybercriminals are usually looking for vulnerabilities in our devices such as older software.

References:

Lyngaas S. 2020, Scammers use Chrome, Firefox extensions in widespread ad fraud campaign, CyberScoop, viewed 15 December 2020, https://www.cyberscoop.com/browser-extensions-fraud-chrome-firefox-microsoft/>.

McAffee 2013, What is a “Drive-By” Download?, McAffee, viewed 15 December 2020,< https://www.mcafee.com/blogs/consumer/drive-by-download>.

Microsoft 365 Defender Research Team 2020, Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers, Microsoft, viewed 15 December 2020,<https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/>.

Rubenking N. 2020, The Best Antivirus Protection for 2021, PC Mag Australia, viewed 15 December 2020,<https://au.pcmag.com/antivirus/8949/the-best-antivirus-protection>.