Microsoft recently issued a warning about an ongoing malware campaign they discovered. It seeks to install a new browser hijacking, credential stealing malware strain called Adrozek onto as many PCs as possible.
Based on Microsoft’s analysis of the campaign, at its peak, it was able to infect more than 30,000 devices every single day.
Microsoft had this to say about the malware on a recent blog post:
“The Adrozek attackers…operate the way other browser modifiers do, which is to earn through affiliate ad programs, which pay for referral traffic to certain websites. The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by the amount of traffic referred to sponsored affiliated pages.”
While it’s unclear who’s behind the campaign, it’s obviously a group of hackers and not an individual. The campaign spans 159 domains that host an average of 17,300 URLs that have delivered more than fifteen thousand polymorphic malware samples. These have been delivered to infected devices between May through September of this year (2020).
It’s a well-designed piece of code capable of slipping past many security measures and infecting Microsoft Edge and other Chromium-based browsers, along with Google Chrome and Mozilla Firefox browsers. Once installed, it will begin quietly installing browser extensions in the background and give itself some persistence by adding new registry entries and creating a new Windows Service cryptically named “Main Service,” which makes it notoriously difficult to be rid of once it makes its way onto a target device.
If there’s a silver lining to be found, it lies in the fact that so far at least, the main purpose of this malware strain seems to be to make money for its controllers via ads, which makes it a low-priority, non-urgent threat. That, however, could easily change any time the hackers felt so inclined.