According to Microsoft, an ongoing malware campaign targeting the Google Chrome, Mozilla Firefox, Microsoft Edge, and Yandex web browsers is hitting computers worldwide.

The campaign, active since May 2020, was observed on over 30,000 devices daily at its August peak and is designed to inject adverts into your search engine results page.

Ad-Injecting Malware Hits Thousands of Computers

In a post on the Microsoft 365 Defender Research Team Blog, the company detailed how they had tracked the malware since early May 2020, watching it spread worldwide.

The malware type is known as Adrozek. The Adrozek malware family adds browser extensions, changes browser settings to inject adverts into your search results, and modifies a specific DLL to remain undetected.

If the Adrozek malware is not detected, it will inject adverts above the ones you expect to see in your search engine. The following Microsoft image illustrates the difference:

adrozek malware ad inject search results

The adverts inserted into the search results include links to affiliate sites, where the attacker can earn money through the volume of traffic sent to the page or through page clicks. At worst, someone could make a direct purchase, opening up potentially dangerous issues such as identity and credit card fraud.

Furthermore, on certain browsers, Adrozek is more dangerous. On Mozilla Firefox, Adrozek can activate an additional module that allows for credential theft. In short, it steals the passwords stored in your browser and sends them to the attacker.

Adrozek is focused primarily around Europe, with another heavy concentration in South Asia and Southeast Asia. As per the Microsoft report, this is expected from a "sustained, far-reaching campaign."

Microsoft tracked 159 unique domains, with each domain hosting an average of 17,300 URLs. Each URL hosts an average of 15,300 unique, polymorphic malware samples.

Related: The Main Types of Computer Virus to Watch Out For

How Does Adrozek Get on Your System?

Something that sets Adrozek aside from other similar browser-based malware is the drive-by download.

In this case, a drive-by download refers to the moment the installer appears on your machine without requiring you to hit the download button or otherwise. When run, the installer downloads a secondary installer, which in turn downloads and installs the main malware payload.

The main payload carries a filename relating to audio software, such as "QuickAudio.exe" or "converter.exe" which helps to disguise it in your folders.

After installation, Adrozek contacts its control server and begins modifying browser security settings.

Browsers have security settings that defend against malware tampering. The Preferences file, for example, contains sensitive data and security settings. Chromium-based browsers detects any unauthorized modifications to these settings through signatures and validation on several preferences.

Adrozek disables and patches over these security settings, as well as disabling browser security updates. It also includes several functions to help the malware remain on your system, including creating its own Windows service.

How to Remove Adrozek

If you notice your browser displaying random adverts or redirecting you to random sites, the first thing to do is run a virus scan using your antivirus program.

Related: The Complete Malware Removal Guide

You should also consider running a secondary scan using a tool such as Malwarebytes, which will scan for and remove all types of malware from your system. Finally, the Microsoft team advises users to "reinstall their browsers" to remove any malware traces.