Dubbed "Adrozek" the browser modifiers have been active since May 2020, injecting advertisements into search results. These malware-inserted ads lead users to other webpages which pay the attackers by amount of traffic received on their website via Adrozek. Microsoft noted that in August 2020, over 30,000 devices were infected by the malware.
But Adrozek is tricky because it persists in the machine, and can steal credentials as well. It is distributed via drive-by downloads from 159 domains hosting hundreds of thousands of unique URLs.
Microsoft warned that while the main purpose of this malware family so far has been to insert ads into search results, given the control it manages to establish over a machine as part of its sophisticated attack chain, this can change anytime and become even more dangerous. This is apparent from the credential theft activity Adrozek already carries out on Firefox.
While Microsoft Defender now blocks detects and blocks Adrozek using machine learning capabilities, the company has stated that victims of the attack should reinstall their browsers and educate themselves about the dangers of downloading from untrusted websites. Microsoft has also encouraged users to use solutions such as URL filtering offered by Smartscreen on the Edge browser. Meanwhile, organizations have been recommended to only allow authorised apps and services by making use of enterprise-grade solutions available on Microsoft Edge.