The Fireball malware already infected more than 250 million computers worldwide running both Windows and Mac OS

Security researchers at Check Point have discovered a massive malware campaign spreading the Fireball malware. The malicious code has already infected more than 250 million computers worldwide running both Windows and Mac OS.

The Fireball malware can be used by attackers to gain full controls of the victim’s web browsers, it could be used to spy on the victims and exfiltrate user data.

The researchers associated the campaign with the operation of the Chinese firm Rafotech that is a company that officially offers digital marketing and game apps to 300 million customers.

“Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns them into zombies. ” reads the analysis published by CheckPoint. “Fireball has two main functionalities:  the ability to run any code on victim computers–downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to generate ad-revenue.

The company is accused of being using the Fireball malware for generating revenue by injecting advertisements onto the browsers, but experts highlighted that the malicious code can be used to comprise a large number of devices.

CheckPoint discovered that Fireball comes bundled with other free software programs once compromised a machine, it installs browser plugins to manipulate the victim’s web browser.

“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes.” continues the analysis.“Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.”

The malware replaces the default search engines and home pages with fake search engines (trotux.com).

The search engine redirects the victim’s queries to either Yahoo.com or Google.com and then includes tracking pixels to collect the victim’s information.

Fireball allows attackers to spy on victim’s web traffic, execute any malicious code, install plug-ins, and also download other payloads.

“From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware.” continues check Point

Currently, cyber criminals use the Fireball adware to hijacking users’ web traffic to boost its advertisements

The experts estimated that the Fireball malware has already infected more than 250 million computers worldwide, roughly 20 percent of them are corporate networks.

• 25.3 million infections in India (10.1%)
• 24.1 million in Brazil (9.6%)
• 16.1 million in Mexico (6.4%)
• 13.1 million in Indonesia (5.2%)
• 5.5 million In US (2.2%)

To check the presence of the malware on your systems open your web browser and try to reply the following questions:

1. Did you set your homepage?
2. Are you able to modify your browser’s homepage?
3. Are you familiar with your default search engine and can modify that as well?
4. Do you remember installing all of your browser extensions?

To uninstall the adware just remove the respective application from the machine and reset to default settings for your browser.

As usual, let me suggest paying attention when installing software, install only the software you need and check every option the software installers display.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Fireball malware, adware)

[adrotate banner=”13″]