https://www.theregister.com/2020/12/10/windows_malware_browsers/
A windows-based browser exploit referred to as 'Adrozek' is plaguing
windows web surfing victims with "an ongoing campaign to distribute
malware that modifies web browsers to conduct credential theft and ad
fraud".
"Since at least May, 2020, unidentified cybercriminals have been
distributing a family of browser modifiers dubbed Adrozek, Microsoft
said. The code, which targets Google Chrome, Microsoft Edge, Mozilla
Firefox, and Yandex Browser on Windows, mainly injects ads into search
results pages."
Apparently it edits content and injects advertisements, apparently over
the top of legit ones, in browser search results. It also appears to
modify a browser DLL (in windows, yeah) as well as browser settings.
Apparently (in Firefox) it also acts as spyware, scanning for
credentials, and sending what it finds to the attacker.
"Microsoft said it has detected 159 unique domains, each hosting an
average of 17,300 unique URLS that each host more than 15,300 unique, polymorphic malware samples on average. Its systems measured hundreds of thousands of contacts with Adrozek malware, mainly in Europe, South
Asia, and Southeast Asia. And the campaign is ongoing."
"This distribution system offers up software for download that unwitting victims run."
SO it appears you have to download an installer to become a victim...
"The installer drops a randomly named .exe file that installs a primary
payload disguised as legitimate audio software in the Windows Program
Files folder. The installed code then makes changes to various browser components and settings to enable ad injection and credential theft."
"Adrozek also attempts to alter browser DLLs, such as MsEdge.dll in
Microsoft Edge so changes to the Secure Preferences file won't be
noticed. In Chromium-based browsers, it modifies a security-related hash integrity check used to prevent tampering. It also adds a policy to
prevent the browsers it subverts from being updated."
MS says it's Defender fixes this in Win-10-nic. But what about those of
us who don't WANT Win-10-nic and use earlierl versions? I expect
Defender will still work, if it's still updating its virus info.
But I say "practice safe surfing" and do NOT web surf if you run the
browser on windows... PERIOD!!!
Also, since an executable installer download is involved, I have to
wonder what effect script blockers, ad blockers, and popup blockers have
on this particular vulnerability...
--
(aka 'Bombastic Bob' in case you wondered)
'Feeling with my fingers, and thinking with my brain' - me
'your story is so touching, but it sounds just like a lie'
"Straighten up and fly right"
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)