According to Microsoft, a persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. In August 2020, the threat was its peak where over 30,000 devices were infected by the malware every day. “We call this family of browser modifiers Adrozek. If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines,” the Microsoft Team wrote. “The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.” According to the Microsoft Team, browser modification malware isn’t necessarily new or all that advanced, but the fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. Besides, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks. Microsoft’s tracking of the Adrozek campaign from May to September 2020 saw 159 unique domains used to distribute hundreds of thousands of unique malware samples, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average. From May to September 2020, the Redmond tech giant recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with a heavy concentration in Europe, South Asia, and Southeast Asia. The Adrozek malware is installed on devices through a drive-by download. Attackers depended heavily on polymorphism, which allows them to churn huge volumes of samples as well as to evade detection. The distribution infrastructure is also very dynamic. Some of the domains were up for just one day, while others were active for longer up to 120 days. Interestingly, some of the domains were distributing clean files like Process Explorer, which was likely an attempt by the attackers to improve the reputation of their domains and URLs and evade network-based protections. Microsoft has described Adrozek’s attack chain in the image below: As can be seen in the image above, the installer from the domain drops a .exe file with a random file name in the %temp% folder. This file in drops the main payload in the Program Files folder using a file name that makes it look like legitimate audio-related software. The malware uses various names like Audiolava.exe, QuickAudio.exe, and converter.exe. Once installed, Adrozek makes multiple changes to the browser settings and components including the default homepage, adds new browser extensions, changes the in-browser DLL files, browser’s default search engine, updates schedule, permissions settings, and much more, in order to allow the malware to inject ads into search engine result pages. If this was not enough, in Mozilla Firefox, the Adrozek malware also steals user credentials from the browser which are then communicated back to the attacker’s servers. “While many of the domains hosted tens of thousands of URLs, a few had more than 100,000 unique URLs, with one hosting almost 250,000. This massive infrastructure reflects how determined the attackers are to keep this campaign operational,” Microsoft added. Microsoft advises end-users who find this malware on their devices to reinstall their browsers. Further, it also added that users should educate themselves about preventing malware infections and the risks of downloading and installing software from untrusted sources and clicking ads or links on suspicious websites. As a precautionary measure, end-users should ensure that their security software and operating systems are up to date. As for enterprises, they should look to reduce the attack surface by implementing application control to enforce the use of only authorized apps and services.