Published December 16, 2020
Author: Ash Khan

Recently, Microsoft highlighted the ongoing campaign impacting popular web browsers that injects malware-infested ads into search results to earn money through affiliate advertising.  

The campaign — which has a huge impact on Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox browsers on Windows — aims to include additional, unauthorized ads on top of legitimate ads displayed on search engine results pages, which is leading users to click on these ads inadvertently.

According to Microsoft over 30,000 devices are affected every day because of persistent browser modifier malware.

As stated by Windows maker, cybercriminals abusing affiliate programs is not new—browser modifiers are some of the oldest types of threats. However, the fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. In addition, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks.

Once Adrozek is dropped and installed on target systems via drive-by downloads, Adrozek proceeds to make multiple changes to browser settings and security controls in order to install malicious add-ons that coverup as genuine by repurposing the IDs of genuine extensions.

Although updated browsers created by expert IT Consultants have proper integrity checks to prevent tampering, the malware cleverly disables the feature, in return allowing the hackers to evade security defences and exploit the extensions to get extra scripts from remote servers to inject bogus advertisements in order to gain revenue by driving traffic to these fraudulent ad pages.

What’s more that it can cause?

 Adrozek goes one step further on Mozilla Firefox to carry out credential theft and exfiltrate the data to attacker-controlled servers.

“And while the malware’s main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behaviour that allows attackers to gain a strong foothold on a device. The addition of credential theft behaviour shows that attackers can expand their objectives to take advantage of the access they’re able to gain.

IT Company provides website malware protection & website security services by Sitelock™, the global leader in website security, is the only security solution to offer complete, cloud-based website protection. It’s 360-degree monitoring finds and fixes threats, prevents future attacks, accelerates website performance and meets PCI compliance standards for businesses and websites of all sizes. Founded in 2008, SiteLock protects over 12 million websites worldwide.

Off