Microsoft Corp.’s 365 Defender Research Team today issued a warning in relation to a malware campaign that seeks to inject ads silently into search results in multiple browsers.

Dubbed “Adrozek,” the persistent malware campaign, believed to have first emerged in May is designed to inject ads into search engine results pages. The malware affects multiple browsers, including Microsoft Edge, Google Chrome, Yandex Browser and Firefox, exposing what Microsoft describes as the attacker’s intent to reach as many internet users as possible.

Although Adrozek may not appear to be that malicious, the number of infected users is believed to be at the very least in the hundreds of thousands but may well be higher. The ads injected by the malware are primarily affiliate program links where those behind the malware get a cut for every purchase made when those infected click through on the injected ads. Victims were primarily found in Europe, as well as in India and Southeast Asia.

Injecting ads in and of itself isn’t that bad, but the Microsoft researchers warn that with Firefox users, “Adrozek takes things further.” The malware steals user credentials, downloading randomly named .exe files that includes device information and currently active username.

“The malware looks for specific keywords like encryptedUsername and encryptedPassword to locate encrypted data,” the reseachers noted. “It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers.”

Users who have been infected by Adrozek are advised to re-install their browsers.

“This is a great example of how technically advanced modern attackers are,” Erich Kron, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “While we often hear about data breaches and fraudulent wire transfers, campaigns like this quietly run in the background generating income by redirecting search results. In many cases, it’s likely that the advertisers are unaware that malware is being used to increase this traffic. The advertisers are losing money, as they are presenting ads to possibly uninterested people, while paying the cybercriminals.”

In particular, Kron added, the addition of credential theft from the Firefox browser provides attackers a valuable tool. “Attackers love to have access to usernames and passwords that they will then use in credential stuffing attacks on other accounts such as banking or shopping websites,” he said. “These are successful because people often reuse the same password for many different accounts.”

Image: Microsoft