A persistent malware campaign called Adrozek has been using an evolved browser modifier to deliver fraudulent ads to search-engine pages, according to Microsoft.
At its peak in August, Adrozek was observed on more than 30,000 devices each day, researchers found, affecting multiple browsers.
The Adrozek family of malware changes browser settings to allow it to insert fake ads over legitimate ones, which earns the scammers affiliate advertising dollars for each user they can trick into clicking.
Making Adrozek an even more dangerous threat, the malware extracts data from the infected device and sends it to a remote server to be used later; and, in some cases, it steals device credentials.
The extensive proliferation and persistence of Adrozek across the world, and its impact on several browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox and Yandex, represents a significant advancement in browser-modifier malware, researchers explained, in findings released on Dec. 10. New tools, the sheer size of the campaign’s infrastructure and the persistence of the malware once it infects a device has supercharged this bread-and-butter scam into a new age.
“This is a great example of how technically advanced modern attackers are,” Erich Kron, security awareness advocate at KnowBe4 told Threatpost by email. “While we often hear about data breaches and fraudulent wire transfers, campaigns like this quietly run in the background generating income by redirecting search results. In many cases, it’s likely that the advertisers are unaware that malware is being used to increase this traffic. The advertisers are losing money, as they are presenting ads to possibly uninterested people, while paying the cybercriminals.”
Adrozek Infrastructure
Microsoft tracked down the source of Adrozek and found it was supported by an enormous, global infrastructure.
“We tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average,” Microsoft reported. “In total, from May to September 2020, we recorded hundreds of thousands of encounters of the Adrozek malware across the globe, with heavy concentration in Europe and in South Asia and Southeast Asia. As this campaign is ongoing, this infrastructure is bound to expand even further.”
Installers, the report explained, are distributed across the Adrozek malware infrastructure, making them difficult to detect.
“Each of these files is heavily obfuscated and uses a unique file name that follows this format: setup_<application name>_<numbers>.exe,” the report said. “When run, the installer drops an .exe file with a random file name in the %temp% folder. This file in drops the main payload in the Program Files folder using a file name that makes it look like a legitimate audio-related software.”
Microsoft researchers have found the malware hidden behind file names “Audiolava.exe” and “QuickAudio.exe” which can be found under “Settings>Apps & features,” the report explained.
Polymorphic Malware
Polymorphic malware is programmed to constantly shift and change to avoid detection. And so, once Adrozek has infected a device, it’s tricky to find and root out. For instance, once inside the browser, Adrozek adds malicious scripts to certain extensions, Microsoft found, depending on which browser it encounters.
“In some cases, the malware modifies the default extension by adding seven JavaScript files and one manifest.json file to the target extension’s file path,” the report said. “In other cases, it creates a new folder with the same malicious components.”
Those scripts fetch other scripts which then inject the fake ads, the researchers report. But besides the ads, the malware sends the device information to a remote server.
In yet another polymorphic malware feat, Adrozek changes certain browser DLLs to turn off security controls, the Microsoft team observed. Once inside the browser, attackers can access preferences including default search engine and shift to adjust the DLL accordingly.
Then it’s on to the browser security settings, in the Secure Preferences file.
“The Secure Preferences file is similar in structure to the Preferences file except that the former adds hash-based message authentication code (HMAC) for every entry in the file,” the report said. “This file also contains a key named super_mac that verifies the integrity of all HMACs. When the browser starts, it validates the HMAC values and the super_mackey by calculating and comparing with the HMAC SHA-256 of some of the JSON nodes. If it finds values that don’t match, the browser resets the relevant preference to its default value.”
Proliferation and Credential Theft
Once it’s comfortably installed on the device, the malware turns off browser updates and changes system setting to maintain control.
“It stores its configuration parameters at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<programName>.” Researchers reported. “The ‘tag’ and ‘did’ entries contain the command-line arguments that it uses to launch the main payload. More recent variants of Adrozek use random characters instead of ‘tag’ or ‘did’.
Researchers add the malware then creates a services called “Main Service.”
That leaves the device in the control of cybercriminals with the ability to deliver ads whenever they want and make changes at any time.
When it comes to Mozilla Firefox Adrozek has another little trick, it also steals the device credentials.
“The malware looks for specific keywords like encryptedUsername and encryptedPassword to locate encrypted data. It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers,” the report said.
Researchers warn affected users to re-install their browsers to eliminate Adrozek from their system.
“The addition of credential theft from the Firefox browser is a valuable tool,” Kron added. “Attackers love to have access to usernames and passwords that they will then use in credential-stuffing attacks on other accounts such as banking or shopping websites. These are successful because people often reuse the same password for many different accounts.”
The true solution, Kron argues, is changing user behavior.
“To defend against this, users need to be educated about the dangers of installing software from untrusted websites, and the importance of password hygiene, to include not reusing them across accounts,” he said.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.