Microsoft has found a virus that creates fake search results and hijacks stored login details. The Windows virus, named Adrozek, has been installed on at least 30,000 computers.
The virus spreads by leading victims to a rogue website that persuades them to download and install the malicious software, Microsoft writes in a blog post. Once the software is installed, it sets itself up to restart with the computer with a registry key. Once installed, it pretends to be legitimate software by using names such as Audiolava.exe, QuickAudio.exe or converter.exe.
Malicious browser extension
The virus then checks which browsers are installed on the computer. Specifically Microsoft Edge, Google Chrome, Mozilla Firefox and the Yandex Browser are targeted. The virus adds an extension to the browsers and disables security features of the browsers. ZDNet lists some further changes the virus makes to browsers:
- Disabling browser updates
- Disabling file integrity checks
- Disabling the Safe Browsing feature
- Registering and activating the extension they added in a previous step
- Allowing their malicious extension to run in incognito mode
- Allowing the extension to run without obtaining the appropriate permissions
- Hiding the extension from the toolbar
- Modifying the browser’s default home page
- Modifying the browser’s default search engine
The main purpose of the extension is to adapt the search results of browsers to add extra links to advertising websites or traffic referral programs. Moreover, the extension steals stored passwords and sends them to the attacker’s servers.
Microsoft’s researchers have found 159 different domains in which the virus has spread in the period since May 2020. Between tens and hundreds of thousands of different URLs had been created on these domains, which gives an indication of the scale of the operation.
The virus is mainly seen in Europe, South Asia and South-East Asia. Microsoft expects the virus to continue expanding in the coming months, using different methods to spread. The company advises victims to reinstall their browsers.