954-866-1600    Get SUPPORT

Evolution Networks Blog

Evolution Networks has been serving the South Florida area since 2003, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Has your browser been targeted by recent Malware attack?

web-browser-800x600

Chrome, Firefox, Edge, and Yandex are all affected in widespread ad-injection campaign.

 

Adrozek, as the software maker has dubbed the malware family, relies on a sprawling distribution network comprising 159 unique domains with each one hosting an average of 17,300 unique URLs. The URLs, in turn, host an average of 15,300 unique malware samples. The campaign began no later than May and hit a peak in August, when the malware was observed on 30,000 devices per day.

Not your father’s affiliate scam

The attack works against the Chrome, Firefox, Edge, and Yandex browsers, and it remains ongoing. The end goal for now is to inject ads into search results so the attackers can collect fees from affiliates. While these types of campaigns are common and represent less of a threat than many types of malware, Adrozek stands out because of malicious modifications it makes to security settings and other malicious actions it performs.

“Cybercriminals abusing affiliate programs is not new—browser modifiers are some of the oldest types of threats,” researchers from the Microsoft 365 Defender Research Team wrote in a blog post. “However, the fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. In addition, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks.”

The post said that Adrozek is installed “through drive-by download.” Installer file names use the format of setup__.exe. Attackers drop a file in the Windows temporary folder, and this file in turn drops the main payload in the program files directory. This payload uses a file name that makes the malware appear to be legitimate audio-related software, with names such as Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed the way legitimate software is and can be accessed through Settings>Apps & Features and is registered as a Windows service with the same file name.

The graphic below shows the Adrozek attack chain:

 

 

Once installed, Adrozek makes several changes to the browser and the system it runs on. On Chrome, for instance, the malware often makes changes to the Chrome Media Router service. The purpose is to install extensions that masquerade as legitimate ones by using IDs such as “Radioplayer.”

Bad extensions!

The extensions connect to the attacker’s server to fetch additional code that injects ads into search results. The extensions also send the attackers information about the infected computer, and on Firefox, it also attempts to steal credentials. The malware goes on to tamper with certain DLL files. On Edge, for instance, the malware modifies MsEdge.dll so that it turns off security controls that help detect unauthorized changes to the Secure Preferences file.

This technique, and similar ones for other affected browsers, has potentially serious consequences. Among other things, the Preferences File checks the integrity of values of various files and settings. By nullifying this check, Adrozek opens browsers up to other attacks. The malware also adds new permissions to the file.

Below is a screenshot showing those added to Edge:

 

The malware then makes changes to the system settings to ensure it runs each time the browser is restarted or the computer is rebooted. From that point on, Adrozek will inject ads that either accompany ads served by a search engine or are placed on top of them.

Thursday’s post doesn’t explicitly say what, if any, user interaction is required for infections to occur. It’s also not clear what effect defenses like User Account Control have. Microsoft makes no mention of the attack hitting browsers running macOS or Linux, so it's likely this campaign affects only Windows users. Microsoft representatives didn’t respond to an email asking for details.

The campaign uses a technique called polymorphism to blast out hundreds of thousands of unique samples. That makes signature-based antivirus protection ineffective. Many AV offerings—Microsoft Defender included—have behavior-based, machine-learning-powered detections that are more effective against such malware.

Source: ARS Technica

0 Comments
Continue reading

Tech Terminology: Bookmark

Tech Terminology: Bookmark

The Internet is home to a vast amount of knowledge. Undoubtedly you’ll find yourself revisiting certain sites more often than others to take advantage of the information contained within. Thankfully, the bookmark system is a great way to make this happen, giving users an easy and efficient way to navigate back to frequently-visited websites.

0 Comments
Continue reading

Tech Term: Cookies

Tech Term: Cookies

Browser cookies might not sound delicious, but they are a particularly important part of your browser’s technology. Do you actually know what they do, though? Today’s tech term will explain just what these cookies are, as well as the purpose they serve for your organization.

0 Comments
Continue reading

Tip of the Week: Tricks for Better Internet Browsing

Tip of the Week: Tricks for Better Internet Browsing

If you use the Internet every single day, you’ll start to realize that you can use it more effectively for achieving your goals. In cases like this, it’s important to look at ways you can improve your overall use of the Internet, as it’s the key way you access important information, applications, and contacts. Here are some day-to-day tips that you can use to help improve your mastery of the Internet.

0 Comments
Continue reading

Tip of the Week: Control Where Your Downloads Are Saved

Tip of the Week: Control Where Your Downloads Are Saved

Whenever you download a file from the Internet, the file will, by default, go to an aptly-titled folder in Windows called Downloads. Unless you change the default settings, your files will always be saved here. But what if you want to make it so that your downloads go somewhere else? You can accomplish this pretty easily. We’ll walk you through how to do it for some of the most popular browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox.

0 Comments
Continue reading

Tip of the Week: Closed a Tab Accidentally? Here’s How to Restore It

Tip of the Week: Closed a Tab Accidentally? Here’s How to Restore It

Everyone has accidentally closed an important web browser tab before they were finished with it. What can you really do about it, though? You might expect that you have to search for the page again, but there’s a much easier way to do it. In your Google Chrome browser on a PC or smartphone, you can reopen closed tabs relatively easily.

0 Comments
Continue reading

Tip of the Week: How to Clear Browser Cache in Chrome, Firefox, and Edge

Tip of the Week: How to Clear Browser Cache in Chrome, Firefox, and Edge

Does it feel like your web browser is running slower than it should? Or is your browser prone to freezing up and crashing? If so, there’s one easy troubleshooting tip that you’ll want to try: clearing the cache.

0 Comments
Continue reading

Windows 10 is Super Popular... Microsoft’s New Edge Browser, Not so Much

Windows 10 is Super Popular... Microsoft’s New Edge Browser, Not so Much

Have you upgraded your business’s workstations to Windows 10 yet? If not, you should ask yourself why you haven’t done so. However, if you have upgraded, you’re one of the 25.3 percent of people using Windows 10. Windows 10 seems to be a great hit among end-users, but Microsoft’s new browser, Edge, isn’t so fortunate.

0 Comments
Continue reading