Is P M subject to Adrozek?

[TwoTankAmin]

The title says it all.

From PC mag online - December 11, 2020
https://www.pcmag.com/news/microsoft-warns-adrozek-malware-is-infecting-thousands-of-pcs-to-insert

Thanks for any info on this.

[vannilla]

viewtopic.php?f=66&t=25805

[Moonchild]

No.
The extension part is a ChromeWebExtension. That (and the fact that there's apparently no proper security to prevent silent installation of them?) is the only reason it can target multiple browsers from a single malware installer.

Of course it's a bad idea to run randomly-named programs that somehow made it onto your PC

[New Tobin Paradigm]

So the webex is drive-by installed and downloads and runs "setup__.exe" or whatever?

Good thing drive-by isn't possible here.

Though, we should keep an eye on any new submitions or updates to extensions. I wouldn't doubt one of the enemy agents might be stupid enough to try to submit something then shove an update with instructions to download and execute a payload down the AUS pipe.

Or try and turn an extension developer to their cause to create a spectical. Though this would be extreamely traceable and all parties would be identifed unlike the people behind the webex version.

If users are conserned about that you can turn off updates to extensions and vet them your self. But I seriously doubt that the originators targeting the Google Axis Powers are interested in us.

[Moonchild]

So the webex is drive-by installed and downloads and runs "setup__.exe" or whatever?

No, it's an .exe installer to begin with and it installs webextensions into various browsers (that is apparently not guarded against with a registry or whatnot like we have).

[New Tobin Paradigm]

Ah i see.. I thought webextensions couldn't be "sideloaded" without allowing it first and also that they have a permission system etc.

[vannilla]

Ah i see.. I thought webextensions couldn't be "sideloaded" without allowing it first and also that they have a permission system etc.

I haven't really read too much about it so I don't know the minute details, but apparently the exe is able to rewrite the permission file to allow the installation of the webextension.
I think (again, didn't read the details) this is possible because some browsers install into directories that are always writable by the user (like AppData) and thus the malware can edit anything, including the permission-related file(s) used for extension control.

[Moonchild]

The bane of storing everything in a .json, i guess?

Either way, if you run malware on your system with admin rights (which is what starts all this) then all bets are off, anyway.

[New Tobin Paradigm]

True. Hell it could be that this is being so hyped as the first major tangible evidence against having an extension system at all. Also could serve to distract and/or re-enforce restrictions under Manifest v3 in the meantime as the plan to kill any extensions could be moved forward.

No one is gonna bother reading beyond the headline let alone understanding the technical facts of the matter anyway.

Regardless, not our problem.. As for OUR extensions, get crackin. Forking is the future and the future starts with you.

[TwoTankAmin]

Thanks for the info.

Mu brother is good friend with a high level computer expert and has high level government security clearance. He also helps my bro with his computers. He emailed my bro re Adrozek since my bro runs Windows 10 and uses Chrome and Edge. My bro let me know and I came here. Before I made this thread I did a forum search for "Adrozek" and I got nothing back. (The term does not appear in vanilla's link). So I then posted this thread.