Skip to main content

Adrozek Trojan

Adrozek is a family of ad injecting and credential stealing trojans targeting most popular web browsers.

Threat ID:
CC-3708
Category:
Adware
Threat Severity:
Low
Threat Vector:
Drive by download
Published:
17 December 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Adrozek is a family of ad injecting and credential stealing trojans targeting most popular web browsers.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in May 2020, Adrozek is a family of sophisticated adware trojans targeting the Chrome, Edge, Firefox, and Yandex internet browsers

Delivery

Adrozek is delivered via drive-by-download using thousands of dynamically registered domains which can rotate every few days, making detection difficult. When a user visits these domain, an initial installer drops an EXE file containing a secondary downloader in the %TEMP% folder. This downloader in turn drops an actual Adrozek binary in the Program Files folder using a legitimate filename.

Activities

Once installed, Adrozek attempts to make several changes to the target browser's extensions, injecting up to seven JavaScript files as well as a JSON file to each extensions filepath. These scripts will then connect to an attacker-controlled command and control server, where they will download additional script which are responsible for injecting malicious adverts into the user's browser session.

Whilst this is happening, Adrozek will also edit certain DLL files used by the browsers in order to change home page, default search engine, and security settings. On Mozilla Firefox installations it will also download an additional EXE file which attempts to extract user browser credentials

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host indicators

Filepaths

  • %localappdata%\Microsoft\Edge\User Data\Default\Extensions\fcppdfelojakeahklfgkjegnpbgndoch
  • %localappdata%\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
  • %appdata%\Roaming\Mozilla\Firefox\Profiles\<profile>\Extensions\{14553439-2741-4e9d-b474-784f336f58c9}
  • %localappdata%\Yandex\YandexBrowser\User Data\Default\Extensions\fcppdfelojakeahklfgkjegnpbgndoch

Last edited: 17 December 2020 1:01 pm