A high volume Chinese threat operation was recently discovered by Check Point Threat Intelligence and research teams that have infected more than 250 million computers worldwide. It is said that this newly installed Chinese malware Fireball takes over the target browsers and then turns them into zombies! Further, it is said to have two main functionalities, namely the ability to run any code on a victim’s computer or downloading any file/malware, and then hijacking and ultimately manipulating the infected users’ web traffic in order to generate ad-revenue.
Fireball malware infects 250 million computers
Currently, Fireball is said to install plug-ins and even additional configurations in order to boost its advertisements. However, it can easily be turned into a prominent distributor for any additional malware. Fireball can spy on victims, execute any malicious code in the infected machines, and can even perform efficient malware dropping. This all creates a massive security flaw in the targeted machines and networks.
Operation runs by Rafotech
It is believed that this operation is run by a large digital marketing agency, Rafotech. Based out in Beijing, Rafotech is using Fireball so as to manipulate a victim’s browser and turn his default search engine and even home page into an altogether fake search engine. So this ultimately redirects the queries of the user to either yahoo.com or Google.com. And, the fake search engine includes tracking pixels, which is used to collect the user’s private information.
250 million computers infected worldwide
The scope of this malware distribution is seriously alarming. According to reports, over 250 million computers have been infected worldwide. To be more country specific, 25.3 million infections have been witnessed in India which is around 10.1%; closely followed by Brazil that has recorded around 24.1 million infections (9.6%). The other most infected countries include Mexico and Indonesia.
Further 20% of all the corporate networks have been infected. The worst affected countries in this category include Indonesia, followed by India and Brazil. Ironically, Rafotech doesn’t admit it produces browser hijackers and fake search engines.
Acts as a browser-hijacker
Although Fireball acts as a browser hijacker; however, it can be turned into a full-functioning malware downloader also. Coming to the execution part on the victim’s machine, it is capable of executing any code, resulting in a wide range of actions starting from stealing credentials to dropping additional malware.
Spreading via bundling!
Fireball is said to be spreading mostly via bundling. It means that it is being installed on victim’s machine alongside a wanted program, and more often without the user’s consent! It is said to be bundled with Rafotech products such as Deal Wi-Fi and Mustang Browser. Also, it is said to be bundled via other freeware distributors, which include products such as FVP Image viewer, Soso Desktop, and others.
How can a user know if his machine is infected?
To check if your machine is infected or not; then first open your web browser and now answer these simple questions: Is the homepage set by you? Are you able to modify this home-page? Are you familiar with your default search engine and can you modify this as well? Do you remember about installing all of your browser extensions?
So, if the answer to any of these questions is ‘NO’, then this is a sign that your machine is infected with adware.
Read more about the malware on CheckPoint.