Adrozek, a drive by download attack, may be impacting your business’s browsers. From desktops to laptops to mobile devices, your endpoint security should be assessed.

Detecting Adrozek’s Malicious Adware

On December 10th, 2020, Microsoft announced detection of the malicious adware Adrozek on a variety of browsers, including Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox.

Adrozek is distributed via a drive by download scam, where users are encouraged to run an audio program. The code is constantly evolving to ensure it evades antivirus detection, meaning corporate users must be vigilant in assessing their endpoint security.

Adrozek: Malware of the Day

Adrozek hijacks a browser, then injects unsolicited, sponsored links in the search engine results. Users then click these sponsored links (aka ads) instead of legitimate search engine results. In turn, the malware operator generates revenue via their pay-per-click scheme.

Adrozek is similar to other adware attacks. It differs, however, in that it sabotages a number of security controls in order to remain on the infected machine longer. Notably, the malware prevents the installation of important updates and disables integrity checks for browser configuration files. While the core function (ad injection) of the malware is not harmful, the secondary function introduces significant security risks.

One of these security risks includes a password stealing component.

How SMART-Monitor Detects Adrozek

Adrozek would be picked up quickly by SMART-Monitor, the engine behind CYDEF’s managed detection service.

Adrozek does not take extraordinary steps to its installation. Microsoft identified the 6 steps the malware takes during installation:

  1. Initial download
  2. The stager phase (2ndinstaller). The main payload is downloaded using a random name.
  3. The main payload phase. This is the main malware loop that performs all the following phases.
  4. The persistence phase. The malware registers a service for persistence. 
  5. The browser modification phase. The malware alters the browser DLL to sabotage security controls, modifies browser preferences and installs addition browser extensions in order to hijack search results. 
  6. The “downloader” phase. The malware installs additional binaries to provide additional functionalities to the attackers, such as password stealing capabilities. 

SMART-Monitor Tripwires

SMART-Monitor would detect the following stages:

  • The download
  • The stager phase
  • The main payload phase
  • The download phase

Each of these 4 phases rely on unusual and notable binaries. We’d pick those up as they were installed.

SMART-Monitor would also identify the registration of the service. In the process of investigating the registration, our analysts would trace it back to one of the unusual binaries.

The two deceptive strategies used to conceal the malware are common, and wouldn’t be able to hide from CYDEF’s tools and investigations. These deceptive strategies (software polymorphism and primitive social engineering) simply mean the software takes on a new name or file type to trick a user or AV program.

Figure 1 illustrates which a component of the attack chain would be picked up by SMART-Monitor and sent to a SMART-Monitor for analyst review. 


smart-monitor detects adrozek


Figure 1: Adrozek attack chain vs SMART-Monitor

A CYDEF Analyst Makes a Difference

The only phase which SMART-Monitor would not instantly flag for analyst review is the browser modification page. That being said, it would be flagged by our analysts during the investigation. We’d drill down to see the modification of the DLL and the installation of the extensions.

This malware relies on old school methods of dropping binaries. That’s easy to detect. All the same, a significant (even huge) number of victims fell prey to the attack. Microsoft reports 30,000 concurrent victims at the peak of the attack in August 2020. This fact alone demonstrates that security is a task of constant vigilance. Logs (or activities in our case) must constantly be reviewed to find traces of infections. Anti-virus engines must constantly be updated to the latest signatures to detect the latest threats. Failure to do so might allow this kind of threat to sneak in, even when the threat is not technically challenging to detect.

Security is a Journey, Not a Destination

Whenever a new malware or a novel attack technique is disclosed, there is a natural increase in anxiety. Am I protected against this new threat?

If the security treadmill is wearing you down, CYDEF’s managed detection and response service SMART-Monitor might interest you. Our website provides a detailed description of our services, including white papers and testimonials.

Dr. Antoine Lemay

Chief Scientific Officer