Microsoft revealed that the malware is called Adrozek. “If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines,” explained the researchers.
Explaining the impact of the attack, Microsoft said, “We tracked 159 unique domains, each hosting an average of 17,300 unique URLs, which in turn host more than 15,300 unique, polymorphic malware samples on average.”
The malware even disabled auto-updates for these browsers. “To prevent the browsers from being updated with the latest versions, which could restore modified settings and components, Adrozek adds a policy to turn off updates,” it said.
Mozilla Firefox was the worst affected by Adrozek as it was performing credential theft. It downloaded an additional randomly named .exe file, which collects device information and the currently active username. It sends this information to the attacker. “The malware targeted certain keywords like encryptedUsername and encryptedPassword to locate encrypted data. It then decrypts the data using the function PK11SDR_Decrypt() within the Firefox library and sends it to attackers,” Microsoft added.