Malware

The Fireball malware already infected more than 250 million computers worldwide running both Windows and Mac OS

Check Point have discovered a massive malware campaign spreading the Fireball malware, it has already infected more than 250 million computers worldwide

Security researchers at Check Point have discovered a massive malware campaign spreading the Fireball malware. The malicious code has already infected more than 250 million computers worldwide running both Windows and Mac OS.

The Fireball malware can be used by attackers to gain full controls of the victim’s web browsers, it could be used to spy on the victims and exfiltrate user data.

The researchers associated the campaign with the operation of the Chinese firm Rafotech that is a company that officially offers digital marketing and game apps to 300 million customers.

“Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns them into zombies. ” reads the analysis published by CheckPoint. “Fireball has two main functionalities:  the ability to run any code on victim computers–downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to generate ad-revenue.

The company is accused of being using the Fireball malware for generating revenue by injecting advertisements onto the browsers, but experts highlighted that the malicious code can be used to comprise a large number of devices.

CheckPoint discovered that Fireball comes bundled with other free software programs once compromised a machine, it installs browser plugins to manipulate the victim’s web browser.

“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes.” continues the analysis.“Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.”

The malware replaces the default search engines and home pages with fake search engines (trotux.com).

The search engine redirects the victim’s queries to either Yahoo.com or Google.com and then includes tracking pixels to collect the victim’s information.

Fireball allows attackers to spy on victim’s web traffic, execute any malicious code, install plug-ins, and also download other payloads.

“From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware.” continues check Point

Currently, cyber criminals use the Fireball adware to hijacking users’ web traffic to boost its advertisements

The experts estimated that the Fireball malware has already infected more than 250 million computers worldwide, roughly 20 percent of them are corporate networks.

“Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach,” researchers added.

Below some data on the Global Infection Rate:
  • 25.3 million infections in India (10.1%)
  • 24.1 million in Brazil (9.6%)
  • 16.1 million in Mexico (6.4%)
  • 13.1 million in Indonesia (5.2%)
  • 5.5 million In US (2.2%)

To check the presence of the malware on your systems open your web browser and try to reply the following questions:

  1. Did you set your homepage?
  2. Are you able to modify your browser’s homepage?
  3. Are you familiar with your default search engine and can modify that as well?
  4. Do you remember installing all of your browser extensions?

To uninstall the adware just remove the respective application from the machine and reset to default settings for your browser.

As usual, let me suggest paying attention when installing software, install only the software you need and check every option the software installers display.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Fireball malware, adware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Two Linux flaws can lead to the disclosure of sensitive data

Qualys warns of two information disclosure flaws in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise…

8 hours ago

Meta stopped covert operations from Iran, China, and Romania spreading propaganda

Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread…

1 day ago

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

2 days ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

2 days ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

2 days ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

2 days ago