Discussion:
Adrozek, malware that hijacks Chrome, Edge and Firefox
(too old to reply)
Rbwd
2020-12-12 04:45:33 UTC
Permalink
Hi.

Does it work in Linux?

I can't find it.

https://linuxitpro.net/news/microsoft-exposes-adrozek-malware-hijacks-chrome-edge-and-firefox
Andrei Z.
2020-12-12 06:35:15 UTC
Permalink
Post by Rbwd
Hi.
Does it work in Linux?
I can't find it.
https://linuxitpro.net/news/microsoft-exposes-adrozek-malware-hijacks-chrome-edge-and-firefox
Widespread malware campaign seeks to silently inject ads into search
results, affects multiple browsers - Microsoft Security

https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
Paul
2020-12-12 10:03:06 UTC
Permalink
Post by Andrei Z.
Post by Rbwd
Hi.
Does it work in Linux?
I can't find it.
https://linuxitpro.net/news/microsoft-exposes-adrozek-malware-hijacks-chrome-edge-and-firefox
Widespread malware campaign seeks to silently inject ads into search
results, affects multiple browsers - Microsoft Security
https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
The beginning of the chain, is running "setup...xxx.exe", an
installer that auto-elevates.

While a Linux user could run WINE setup...xxx.exe
the question would be, what browser would or could the attack
attach to ? The WINE files are on Drive_C. Could a person
run Chrome.exe in WINE and the campaign attack it ?

I would say for the most part, a WINE attack vector is unlikely.
There isn't a strong incentive to be running browsers from WINE.
And the attack would then inject adverts into the WINE browser
and not the host-level browser.

They would need to craft an attack with .deb and get you
to compromise your setup by adding a third-party repo. Maybe
they could get in that way. Seeing as this outfit has mounds
of meat-machines to create the malware (a whole team), they
could easy send off a sub-team to work on a Linux version.
It would depend on whether they thought it was worth the effort
(payback).

You'd use your usual level of OPSEC to stop them.

Paul
Andrei Z.
2020-12-12 11:21:21 UTC
Permalink
Post by Paul
Post by Andrei Z.
Post by Rbwd
Hi.
Does it work in Linux?
I can't find it.
https://linuxitpro.net/news/microsoft-exposes-adrozek-malware-hijacks-chrome-edge-and-firefox
Widespread malware campaign seeks to silently inject ads into search
results, affects multiple browsers - Microsoft Security
https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
The beginning of the chain, is running "setup...xxx.exe", an
installer that auto-elevates.
While a Linux user could run   WINE setup...xxx.exe
the question would be, what browser would or could the attack
attach to ? The WINE files are on Drive_C. Could a person
run Chrome.exe in WINE and the campaign attack it ?
I would say for the most part, a WINE attack vector is unlikely.
There isn't a strong incentive to be running browsers from WINE.
And the attack would then inject adverts into the WINE browser
and not the host-level browser.
They would need to craft an attack with .deb and get you
to compromise your setup by adding a third-party repo. Maybe
they could get in that way. Seeing as this outfit has mounds
of meat-machines to create the malware (a whole team), they
could easy send off a sub-team to work on a Linux version.
It would depend on whether they thought it was worth the effort
(payback).
You'd use your usual level of OPSEC to stop them.
   Paul
BTW, Pwine Award Winners 2020
https://pwnies.com/winners/

I like this
<quote>
*Most Epic Fail*

Microsoft's implementation of elliptic curve signatures allowed
attackers to generate private pairs for the public keys of any
legitimate signer. This enabled spoofing of any HTTPS website or signed
binary on affected versions of Windows.
<unquote>
Jonathan N. Little
2020-12-12 15:00:09 UTC
Permalink
Post by Rbwd
Hi.
Does it work in Linux?
I can't find it.
https://linuxitpro.net/news/microsoft-exposes-adrozek-malware-hijacks-chrome-edge-and-firefox
I doubt it.

"Adrozek gets installed in a device through the “drive-by download”
method. The Microsoft blog post explains: “When run, the installer drops
an .exe file with a random file name in the %temp% folder. This file in
drops the main payload in the Program Files folder using a file name
that makes it look like a legitimate audio-related software. We have
observed the malware use various names like Audiolava.exe,
QuickAudio.exe, and converter.exe. "

Unlike Windows just slapping '.exe' on a file name does not make it
executable in Linux. Usually these malware work by embedding an
executable script like VBA or Powershell in an email that created a
downloader to download some '.exe' that will only run in Windows.
--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
Loading...