Microsoft recently announced the results of a months-long investigation into a sophisticated malware campaign they say has been active since May. The company’s report authored by the Microsoft 365 Defender Research Team said the campaign infected as many as 30,000 devices each day at its peak in August, and that it remains an ongoing threat.

“Adrozek,” the name the Microsoft team gave to the malware, targets several popular web browsers including Microsoft Edge, Google Chrome, Mozilla Firefox, and Yandex Browser. It injects unauthorized advertising links into legitimate search engine results pages. The unauthorized ads link to affiliated sites, from which attackers fraudulently generate affiliated ad revenue.

A Sophisticated Operation Built to Last

Fraud in connection with affiliate advertising is not new, the report says. But the size and scope of this particular campaign revealed a high level of organization and a commitment to keep it operational for as long as possible.

The Microsoft team monitored 159 unique domains that hosted just over 17,000 unique URLs on average per domain. It said hundreds of thousands of encounters with the Adrozek malware occurred between May and September, primarily in Europe, South Asia, and Southeast Asia. The report also noted that the campaign is ongoing and adaptable. And given the sophisticated nature of the operation’s infrastructure, it’s likely that the existing scope will expand even further.

How Adrozek Works

Devices get infected with Adrozek through drive-by download. Users get redirected to fraudulent sites and then get tricked into downloading the malware. It then looks for installed internet browsers and then modifies extensions and security settings.

Once the malware takes root, it uses malicious code transferred from its own servers to a user’s device. This code injects the fraudulent ad links into search engine result pages. Attackers can then redirect traffic to these ad sites and earn revenue from traffic referral programs.

The Microsoft team found one additional feature of Adrozek that specifically targeted users of Mozilla’s Firefox browser. The malware extracted user credentials from Firefox and uploaded them to the attackers’ servers. Credentials include device information and the currently active username.

How to Protect Yourself

The report advises anyone who thinks their device might be infected with Adrozek to immediately re-install their browser software. Even threats that might seem less critical, such as unwanted ads in search results, can leave users at risk. The sophistication of the Adrozek campaign shows the lengths to which attackers will go to gain a foothold in user devices. That foothold can be used later for other malicious purposes

Microsoft also advises the use of good antivirus software that can identify and detect specific malicious behaviors. Users are also urged to use caution when downloading software, and to only do so from verified and trusted websites. For enterprise users, the report advises stronger application controls that limit access to unauthorized apps and services.

Malware Is a Common and Persistent Threat

What seems to set Adrozek apart is the extent of the operation, the sophistication of the infrastructure, and the potential for escalation given how the malware targets and disables security features designed to detect it.

Furthermore, the use of polymorphism techniques make traditional antivirus software ineffective in tracking the signature of malware, since that signature can be generated uniquely for hundreds of thousands of samples.

Malware threats constantly evolve, and users struggle to keep up. At SecureData, we understand how critical it is to protect yourself and your personal data from malware attacks. With so many of us telecommuting and shopping online as a result of the COVID pandemic, our potential exposure to malware has increased exponentially.

All SecureData hardware-encrypted external hard disk and USB flash drives come equipped with one year of DriveSecurity® Antivirus protection powered by ESET. DriveSecurity® requires no host installation, runs directly from the drive and detects threats without the need for internet service.

DriveSecurity® also blocks viruses designed to evade traditional antivirus software, and it works seamlessly with all major web browsers to prevent attacks by malicious scripts. Call SecureData at 1-800-875-3230 to learn more about how we can help you better secure your personal information and protect yourself against malware attacks.