Microsoft warns Adrozek malware that hijack the browser, add ads and steal credentials

The Microsoft 365 Defender team warned of new malware in the latest blog, which hijacked the browser to steal credentials through various means.

The Microsoft security team named it Adrozek. “If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines.”

The malware family enters the user’s computer through drive-by downloads, etc., then hijacks all browsers and then tampered with the normal search results of the search engine.

The hacker gang behind mixed ads in this way to induce users to click to get the ad share, and also used extensions to steal the browser’s saved credentials.

Image: Microsoft

According to Microsoft’s detection, the currently most affected areas are mainly Southeast Asia, South Asia, and Europe. Microsoft data shows that “the threat was observed on over 30,000 devices every day.”

When users search for certain keywords through search engines, malicious extensions hijack the search results and then add third-party ad affiliate links to the search results page.

When users click on these ad affiliate links, they will contribute revenue to the hacker group, and in fact, this kind of hijacking is not easy for users to find abnormalities.

For example, the hijacked and inserted advertisement links have the same style as the normal content and no advertisements, and these contents will also be placed at the top of the search results so that they are easier to click.

What is puzzling is that the hacker group also targeted users’ account passwords, not only playing advertisements but also stealing account passwords that have been saved by browsers.

The Microsoft security team monitored that the infrastructure used by hacker groups is changing rapidly, including the number of domain names and addresses used and the number of malicious samples soaring.

Microsoft explains that Adrozek uses 159 independent domain names, with an average of 17,300 URLs hosted by each domain name, and 15,300 malware samples per URL.

After the Adrozek activity was monitored in May 2020, the number of Microsoft interceptions reached 100,000 in September 2020, and there is a tendency to continue to soar.

Currently, the Microsoft security team has used Microsoft Defender to automatically block it, and Windows 10 users can automatically check and kill the virus by turning on the antivirus software.

Users can also manually check their browser extension management page to check for unknown extensions or use the browser’s built-in security check for detection.