“Adrozek” Malware Is Silently Injecting Ads in Search Results

  • Microsoft warns about a stealthy ad-serving malware that has spread extensively.
  • The malware called “Adrozek” is changing browser settings and installs laced extensions.
  • The goal is to make money by tricking people into visiting affiliate marketing URLs.

The sneakiest a malware attack is, the higher its chances of being successful. Microsoft reports about a new malware called “Adrozek,” which has been silently spreading without any researchers noticing, affecting internet users and many popular browsers like Google Chrome, Firefox, Edge, and the Yandex browser.

It is basically a browser modifier that adds extensions, modifies DLLs, and changes browser settings to insert malicious ads onto the user search results and make them appear legitimate.

Source: Microsoft

The actors’ goal is to make money through affiliate advertising, so the victims aren’t running a serious risk, but they are still falling victims of abuse. In the end, they get search results that aren’t relevant to their interests, so their internet experience or even its personalization is severely degraded and undermined. In the case of Mozilla Firefox, Adrozek can even steal user credentials.

Source: Microsoft

The most problematic areas right now are the whole of Europe, India, and Southeast Asia. Adrozek is dropped via drive-by downloads, while Microsoft has recognized at least 159 unique domains distributing a large number of samples. To avoid detection, the authors use a type of polymorphism, generating hundreds of thousands of slightly different malware samples that essentially do the same thing but have a different signature.

This also applies to the distribution infrastructure, with domains being frequently rotated, refreshed, or replaced. Some stay active for just a day, and others attempt to stay up for longer by reputation-cleaning tricks. The following diagram gives a picture of the attack chain and how Adrozek is distributed.

Source: Microsoft

If you have it in your system, you will find it under ‘Local Disk (C:) / Program Files (x86) / Alternate / Quick Audio’. The “exe” file dropped by the malicious installer is “QuickAudio.exe,” making it appear as if this is something relevant to audio. Other names noticed by Microsoft’s researchers include “converter.exe” and “Audiolava.exe.” If you suspect an Adrozek infection, you should re-install your browser.

Source: Microsoft

The extensions that are added onto the browsers use the IDs of legitimate extensions, but they are fake clones. The project that is masqueraded the most is “Radioplayer,” but of course, there are many more that are abused like that.

In all cases, the malware adds seven JavaScript files on these cloned plugins, sets the browser’s visibility to “hidden,” and even adds it in the incognito mode. Finally, the automatic updates of the browser are turned off so that the malware won't be uprooted by a security patch.



Microsoft Launches a Redesigned Notepad for Windows 11

The redesigned Notepad for Windows 11 is now rolling out to Windows Insiders. In its new design, Notepad is aligned with the new...

Instagram Reveals New Tools to Keep Teens Safe, Including Parental Controls

Instagram announced its intent to take a 'stricter approach' regarding the content it shows to teen users. As part of Instagram's new tools,...

Microsoft Seizes Chinese-Based Hacker Group’s Websites

Microsoft has taken down several websites used by the China-backed hacker group called Nickel.The seized websites were used to gather information from...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari