Adrozek malware campaign started around May through to September 2020, with about 159 unique domains employed in the distribution of hundreds of thousands of unique malware samples. While the attackers relied on polymorphism, which allows them to evade detection and as Adrozek is installed through a drive-by download, several of the domains host tens of thousands of URLs, and a few even more than 100,000 unique URLs.
It affects almost all the popular browsers, including Google Chrome, Firefox and Microsoft Edge browsers on Windows platform, with insertion of unauthorized ads over legitimate ads displayed on search results pages, leading to inadvertent clicking of the ads.
How the Adrozek malware gets Installed on Devices
Adrozek distribution infrastructure is very dynamic, with some domains running for only a day, while others could be active for longer, even up to 120 days. Thus, the attackers distribute hundreds of thousands of unique installer samples of the malware using this sprawling infrastructure.
The Adrozek malware is installed via a drive-by download when web users inadvertently visit any of the malicious domains controlled by the attacker. And the malware gets installed in the browser's Program Files folder using a file name that makes it look like an audio-related software to evade detection.
On installation, Adrozek proceeds to initiate multiple changes in the browser settings and security controls with the intent of installing malicious add-ons that masquerade as genuine tools by repurposing the IDs of the legitimate browser extensions. In addition, the malware exfiltrates website credentials, and maintains persistence by exposing affected devices to additional risks.
The fact that this malware affects multiple browsers is an indication of how the threat landscape has continued to evolve, with increasingly sophisticated attack scenarios.
How to Mitigate against Adrozek Malware
Given that the malware employs polymorphic tactics, it require protection that focuses on identifying and detecting the malicious behavior. Therefore, such tools as Microsoft Defender Antivirus, which is the built-in endpoint protection on Windows 10, comes in handy as it uses behavior-based, machine learning-powered detections to block such malware as Adrozek.
Additionally, affected web users are advised to re-install their browsers and having a good knowledge of the dangers of clicking ads or links on suspicious websites and the risks in downloading and installing software from untrusted sources is necessary.