Security researchers at Check Point have discovered a massive malware campaign spreading the Fireball malware. The malicious code has already infected more than 250 million computers worldwide running both Windows and Mac OS.
The Fireball malware can be used by attackers to gain full controls of the victim’s web browsers, it could be used to spy on the victims and exfiltrate user data.
The researchers associated the campaign with the operation of the Chinese firm Rafotech that is a company that officially offers digital marketing and game apps to 300 million customers.
“Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. ” reads the analysis published by CheckPoint. “Fireball has two main functionalities: the ability to run any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue.
The company is accused of being using the Fireball malware for generating revenue by injecting advertisements onto the browsers, but experts highlighted that the malicious code can be used to comprise a large number of devices.
“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes.” continues the analysis.“Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.”
The malware replaces the default search engines and home pages with fake search engines (trotux.com).
The search engine redirects the victim’s queries to either Yahoo.com or Google.com and then includes tracking pixels to collect the victim’s information.
Fireball allows attackers to spy on victim’s web traffic, execute any malicious code, install plug-ins, and also download other payloads.
“From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware.” continues check Point
Currently, cyber criminals use the Fireball adware to hijacking users’ web traffic to boost its advertisements
The experts estimated that the Fireball malware has already infected more than 250 million computers worldwide, roughly 20 percent of them are corporate networks.
“Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach,” researchers added.
To check the presence of the malware on your systems open your web browser and try to reply the following questions:
To uninstall the adware just remove the respective application from the machine and reset to default settings for your browser.
As usual, let me suggest paying attention when installing software, install only the software you need and check every option the software installers display.
(Security Affairs – Fireball malware, adware)