Adrozek Malware
It has been reported that a new malware named Adrozek is affecting user’s device globally. It infects the device and then proceeds to modify web browsers and their settings in order to inject ads into search results pages.
Infection Mechanism:
The malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software. The software installs the Adrozek malware, which then proceeds to obtain reboot persistence with the help of a registry key. The malware looks for locally installed browsers such as Microsoft Edge, Google Chrome, Mozilla Firefox, Yandex Browser and attempts to force-install an extension by modifying the browser's AppData folders. It also modifies some of the browsers' DLL files to change browser settings and disable security features to make sure that browser’s security features doesn’t detect unauthorized modifications, modifications performed by Adrozek include:
- Disabling browser updates
- Disabling file integrity checks
- Disabling the Safe Browsing feature
- Registering and activating malicious extension
- Allowing malicious extension to run in incognito mode
- Allowing extension to run without appropriate permissions
- Hiding extension from toolbar
- Modifying browser default home page
- Modifying browser default search engine
Adrozek’s attack chain is shown as under:
Figure:1 Adrozek attack chain (Source: Microsoft)
The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to the sponsored affiliated pages.
Figure:2 Comparison of search results pages on an affected machine and one with Adrozek running (Source: Microsoft)
Modified relevant DLL on targeted browsers:
| Browser | Extension paths examples |
|---|---|
| Microsoft Edge | %localappdata%\Microsoft \Edge\User Data\Default \Extensions \fcppdfelojakeahklfgkjegnpbgndoch |
| Google Chrome | %localappdata% \Google\Chrome \User Data\Default\Extensions \pkedcjkdefgpdelpbcmbmeomcjbeemfm (might vary) |
| Mozilla Firefox | %appdata%\Roaming \Mozilla\Firefox\Profiles \[profile]\Extensions \{14553439-2741-4e9d-b474-784f336f58c9} |
| Yandex Browser | %localappdata% \Yandex\YandexBrowser \User Data\Default\Extensions \fcppdfelojakeahklfgkjegnpbgndoch |
Countermeasures and Best practices for prevention:
- Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
- Users are advised to update their devices with patches as and when released by respective OEM.
- If devices found infected, it is recommended to re-install the browsers.
- Be aware of the risks of downloading and installing software from untrusted sources and clicking ads or links on suspicious websites.
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list.
- Users are advised to enable URL filtering solutions on browsers to prevent such attacks.
- Users are advised to use Antivirus solutions which uses behaviour-based, machine learning-powered detections to block Adrozek.
- Users are advised to use Browser JSGuard to detect and defend malicious HTML and JavaScript attacks.
- For Firefox Web Browser:
https://addons.mozilla.org/en-US/firefox/addon/browser-jsguard/
https://chrome.google.com/webstore/detail/browserjsguard/ncpkigeklafkopcelcegambndlhkcbhb