A persistent malware campaign work actively distribute an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 machines every day. The malware is designed to inject ads into search engine outcomes pages. The threat affects multiple browsers–Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox–exposing the attackers’ intent to reach as many Internet users as possible.

We call this family of browser modifiers Adrozek. If not detected and blocked, Adrozek adds browser expansions, modifies a specific DLL per target browser, and changes browser fixes to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines. The intended effect is for consumers, searching for certain keywords, to unknowingly click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate ad programs, which pay by amount of traffic referred to sponsored affiliated pages.

Screenshot of search results page on an affected machine and one affected by Adrozed

Figure 1. Comparison of search results pages on an affected machine and one with Adrozek running.

Cybercriminals mistreating affiliate programs is not new–browser modifiers are some of the oldest types of threats. Nonetheless, the fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this menace character continues to be increasingly sophisticated. In addition, the malware maintains persistence and exfiltrates website credentials, disclosing affected machines to additional risks.

Such a sustained, far-reaching campaign requires an expansive, dynamic attacker infrastructure. We tracked 159 unique realms, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average. In total, from May to September 2020, we recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with heavy concentration in Europe and in South Asia and Southeast Asia. As this campaign is ongoing, this infrastructure is bound to expand even further.

World map showing volume of devices that have encountered Adrozek

Figure 2. Geographic distribution of Adrozek encounters from May to September 2020.

Effectively protecting against rampant, persistent campaigns like this that incorporate multiple components, polymorphism, and evolved malware behavior requires advanced, behavior-based detection and visibility across the whole attack chain rather than specific components. In this blog, we’ll share our in-depth analysis of this campaign, including the distribution architecture and malware behavior, and provide recommended defenses.

Distribution infrastructure

The Adrozek malware is installed on devices through drive-by download. In our tracking of the Adrozek campaign from May to September 2020, we find 159 unique domains used to distribute hundreds of thousands of unique malware samples. Attackers relied heavily on polymorphism, which allows attackers to churn huge volumes of samples as well as to evade detection.

While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting nearly 250,000. This massive infrastructure indicates how determined the attackers are to keep this campaign operational.

Column chart showing number of URLs used in the Adrozek campaign

Figure 3. Number of URLs and number of files hosted on Adrozek domains with at least 100 files.

The distribution infrastructure is also very dynamic. Some of the domains were up for simply one day, while others were active for longer, up to 120 periods. Interestingly, we find some of the domains distributing clean files like Process Explorer, likely an strive by the attackers to improve the reputation of their realms and URLs, and evade network-based protections.

Installing

Attackers use this sprawling infrastructure to distribute hundreds of thousands of unique Adrozek installer samples. Each of these files is heavily obfuscated and uses a unique file epithet that follows this format: setup__ . exe.

Diagram showing the Adrozek attack chain

Figure 4. Adrozek attack chain

When run, the installer drops-off an. exe file with a random file name in the% temp% folder. This file in drops-off the main payload in the Program Files folder applying a file name that stimulates it look like a legitimate audio-related software. We have observed the malware apply various names like Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed like a usual program that can be accessed through Settings> Apps& features, and registered as a service with the same name.

Screenshot of Apps and features settings showing the installed malware

Figure 5. Adrozek installed as a program that can be accessed through the Apps& features setting

Modifying browser ingredients

Once installed, Adrozek makes multiple changes to the browser decideds and components. These varies let the malware to inject ads into search engine result pages.

Expansion

The malware induces changes to certain browser expansions. On Google Chrome, the malware typically modifies “Chrome Media Router”, one of the browser’s default extensions, but we have seen it use different extensions.

Each extension on Chromium-based browsers has a unique 32 -character ID that users can use to locate the extension on machines or on the Chrome Web store. On Microsoft Edge and Yandex Browser, it use IDs of legitimate extensions, such as “Radioplayer” to masquerade as legitimate. As it is rare for most of these extensions to be already installed on devices, it creates a new folder with this extension ID and storages malicious ingredients in this folder. On Firefox, it appends a folder with a Globally Unique Identifier( GUID) to the browser extension. In summary, the tracks and expansion Ids used by the malware for each browser are below 😛 TAGEND

Browser Extension paths examples

Microsoft Edge %localappdata%\Microsoft\Edge\User Data \ Default \ Extensions \ fcppdfelojakeahklfgkjegnpbgndoch

Google Chrome %localappdata%\Google\Chrome\User Data \ Default \ Extensions \ pkedcjkdefgpdelpbcmbmeomcjbeemfm( might vary)

Mozilla Firefox %appdata%\Roaming\Mozilla\Firefox\Profiles\ \ Extensions \ 14553439 -2 741 -4e 9d-b474-784f336f58c9

Yandex Browser %localappdata%\Yandex\YandexBrowser\User Data \ Default \ Extensions \ fcppdfelojakeahklfgkjegnpbgndoch

Despite targeting different expansions on each browser, the malware adds the same malicious scripts to these extensions. In some instances, the malware modifies the default extension by adding seven JavaScript files and one manifest.json file to the target extension’s file path. In other instances, it creates a new folder with the same malicious components.

Screenshot of File Explorer showing added JavaScript and JSON files

Figure 6. JavaScript and JSON files added to the target extension’s file path

These malicious scripts connect to the attacker’s server to fetch additional scripts, which are responsible for injecting advertisements into search results. The domain name of the remote server is specified in the extension’s scripts. The malware also sends information about the device to the said remote server.

Screenshot of additional downloaded script

Figure 7. Additional downloaded script

Browser DLLs

The malware also tampers with certain browser DLLs. For instance, on Microsoft Edge, it modifies MsEdge.dll to turn off security controls that are crucial for detecting any changes in the Secure Preference file.

Screenshot of code comparing original and tampered with code

Figure 8. Comparison of original and tampered with MsEdge.dll.

This technique impacts not only Microsoft Edge but other Chromium-based browsers. These browsers store consumer fixes and predilections, such as home page and default search engine, in the Preferences file. For each of the four target browsers, it modifies the relevant DLL 😛 TAGEND

Browser Modified files

Microsoft Edge %PROGRAMFILES%\Microsoft\Edge\Application\\msedge.dll% localappdata %\ Microsoft \ Edge \ User Data \ Default \ Secure Predilection %localappdata%\Microsoft\Edge\User Data \ Default \ Preferences

Google Chrome %PROGRAMFILES%\Google\Chrome\Application\\chrome.dll% localappdata %\ Google \ Chrome \ User Data \ Default \ Secure Preference %localappdata%\Google\Chrome\User Data \ Default \ Preference

Yandex Browser %PROGRAMFILES%\Yandex\YandexBrowser\\browser.dll% localappdata %\ Yandex \ YandexBrowser \ User Data \ Default \ Secure Preferences %localappdata%\Yandex\YandexBrowser\User Data \ Default \ Preferences

Firefox %PROGRAMFILES%\Mozilla Firefox\omni.ja% appdata %\ Mozilla \ Firefox \ Profiles \ \ extensions.json %appdata%\Mozilla\Firefox\Profiles\ \ prefs.js

Browser security puts

Browsers have security settings that defend against malware tampering. The Preferences file, for example, contains sensitive data and security fixeds. Chromium-based browsers sees any unauthorized modifications to these settings through signatures and validation on several preferences. These predilections, as well as configuration parameters, are stored in JSON file name Secure Preferences.

The Secure Preferences file is similar in structure to the Preference file except that the former adds hash-based message authentication code( HMAC ) for every entry in the file. This file also contains a key named super_mac that checks the soundnes of all HMACs. When the browser starts, it confirms the HMAC values and the super_mac key by calculating and comparing with the HMAC SH-A2 56 of some of the JSON nodes. If it determines values that don’t match, the browser resets the relevant preference to its default value.

In the past, browser modifiers calculated the hashes like browsers do and update the Secure Predilection accordingly. Adrozek goes one step farther and spots the function that launches the unity check. The two-byte patch annuls the integrity check, which constructs the browser potentially more vulnerable to hijacking or tampering.

Two byte patch

Figure 9. Two-byte patch to the function in Secure Preferences file that launches the integrity check

With the unity check incapacitated, Adrozek proceeds to modify security fixes. On Google Chrome or Microsoft Edge, the malware modifies the following entries in the Secure Preferences file to add permissions that enable the malicious expansions to have more control over Chrome APIs 😛 TAGEND

Entry in Secure Predilection file Value Result

browser_action_visible false Plugin not visible in the browser toolbar

extension_can_script_all_urls true Allows the extension to script on all URLs without explicit permission

incognito true The extension can run in the incognito mode

safebrowsing false Turns off safe browsing

The screenshot below shows the permissions added to the Secure Preference file 😛 TAGEND

Screenshot of the secure preferences file showing the added permissions

Figure 10. Permissions added to the Secure Preference file

On Mozilla Firefox, Adrozek modifies the following security fixeds 😛 TAGEND

Modified file epithet Content Purpose

prefs.js user_pref(“app.update.auto”, false ); user_pref(“app.update.enabled”, false ); user_pref(“app.update.service.enabled”, false) Turn off updates

extensions.json (appends detailed information about the malicious expansion) Register the extension to the browser

Omni.ja( XPIDatabase.jsm module) isNewInstall= false Loading the extension

Browser updates

To prevent the browsers from kept up to date with the latest versions, which is able restore modified situates and ingredients, Adrozek adds a policy to turn off updates.

Screenshot of the policy that's added that turns off updates

Figure 11. Policy added to turn off updates

Persistence

In addition to modifying browser setting and ingredients, Adrozek likewise modifies several systems defines to have even more control of the compromised device. It stores its configuration parameters at the registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6 432 Node \ . The’ tag’ and’ did’ enterings contain the command-line contentions that it uses to launch the main payload. More recent variants of Adrozek use random characters instead of’ tag’ or’ did’.

Screenshot of registry entries added by the malware

Figure 12. Registry entries with command-line arguments that launching the main payload

To maintain persistence, the malware makes a service named “Main Service”.

Screenshot the service added by the malware

Figure 13. Service created to maintain perseverance

Ad injection

After tampering with multiple browser components and fixes, the malware gains the capability to inject ads on search results on affected browsers. The injection of ads is performed by malicious scripts downloaded from remote servers.

Depending on the search keyword, scripts add related ads at the top of legitimate ads and search results. The number of ads inserted and the sites they point to vary. And while we have not seen these ads point to malware-hosting and other malicious websites, the attackers can presumably attain that alter anytime. The Adrozek attackers, however, operate the way other browser modifiers do, which is to earn through affiliate ad programs, which pay for referral traffic to certain websites.

Screenshot of search results page on an affected machine and one affected by Adrozed

Figure 14. Comparison of search results pages on an affected machine and one with Adrozek running

Credential theft

On Mozilla Firefox, Adrozek takes things further. It builds the most of its foothold by performing credential crime. It downloads an additional haphazardly named. exe file, which accumulates device information and the currently active username. It mails this information to the attacker.

Screenshot of additional executable file created by the malware

Figure 15. Additional executable file written to the% temp% folder

It then starts situating specific files, including login.json. On Mozilla Firefox, the said file, which is located at% appdata %\ Roaming \ Mozilla \ Firefox \ Profiles \ \ logins.json, storages user credentials in encrypted form and the browsing history.

Screenshot of JSON file

Figure 16. JSON file containing theft credentials

The malware looks for specific keywords like encryptedUsername and encryptedPassword to locate encrypted data. It then decrypts the data employing the part PK11SDR_Decrypt() within the Firefox library and sends it to attackers.

With this additional function, Adrozek specifies itself apart from other browser modifiers and demonstrates that there’s no such thing as low-priority or non-urgent menaces. Preventing the full range of threat from gaining access in the first place is of utmost importance.

Defending against sophisticated browser modifiers

Adrozek shows that even threats that are not thought of as urgent or critical are increasingly becoming more complex. And while the malware’s main goal is to inject ads and pertain traffic to certain websites, the attack chain involves sophisticated behaviour that allow attackers to gain a strong foothold on a machine. The addition of credential theft behavior shows that attackers can expand their objectives to take advantage of the access they’re able to gain.

These complex behaviours, and the fact that the campaign uses polymorphic malware, involve protections that focus on identifying and detecting malicious behaviour. Microsoft Defender Antivirus, the built-in endpoint protection solution on Windows 10, employs behavior-based, machine learning-powered detectings to block Adrozek.

End users who find this threat on their devices are advised to re-install their browsers. Considering the massive infrastructure that was used to distribute this threat on the web, consumers was necessary to educate themselves about preventing malware infections and the health risks of downloading and installing software from untrusted sources and clicking ads or connections on suspicious websites. Customers was necessary to take advantage of URL filtering solutions, such as Microsoft Defender SmartScreen on Microsoft Edge. Configuring security software to automatically download and install updates, as well as running the latest versions of the operating system and applications and deploying the latest security updates help hardened endpoints from threats.

For enterprises, defenders should look to reduce the attack surface for these types of threats. Application control allows organizations to enforce the use of merely authorized apps and services. Enterprise-grade browsers like Microsoft Edge offer additional security features like conditional access and Application Guard that defend against menaces on the browser.

It’s also important for enterprises to gain deep visibility into malicious behaviours on endpoints and the capability to correlate with threat data from other realms like cloud apps, email and data, and identities. Microsoft 365 Defender delivers coordinated protection across realms and furnishes rich investigation tools that empower defenders to respond to attacks. Learn how your organization can stop onslaughts through automated, cross-domain security and built-in AI with Microsoft Defender 365.

Microsoft 365 Defender Research Team

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers showed first on Microsoft Security .

Read more: microsoft.com