'Fireball' malware infects 250 million PCs, one in five corporate networks affected

Joanna Estrada
June 3, 2017

The malware infection is sourced to Rafotech, a digital marketing agency based in Beijing, and uses the malware called Fireball to take control of a user's browser.

Check Point encourages clients to expel the Fireball malware from computers by uninstalling the adware utilizing Programs and Features in the Windows or utilize Mac Finder feature in the Applications on Macs.

About 250 million computers have been infected worldwide by a high volume Chinese threat operation that hijacks web browsers and turns computers into 'zombies, ' according to a Check Point report released Thursday.

While at this time, Fireball appears to be used exclusively to install plug-ins and configurations to boost advertisements, researchers believe that it could easily be weaponized to spy on victims, execute malicious code, or drop additional malware in infected machines.

"Fireball has two main functions: the ability of running any code on victim computers-downloading any file or malware, and hijacking and manipulating infected users' web-traffic to generate ad-revenue", Check Point said.

"This redirects the queries to either yahoo.com or Google.com", wrote Check Point. "But it is able to pull any other malware to the infected devices, so it has a maliciousness". Indonesia, India and Brazil top the list of countries whose corporate networks have been hit with Fireball, with 60% of Indonesian corporations infected. However, the fake search engine includes pixels that are used to track a user's actions from one site to the next.

Fireball malware flow chart India most affected hacking cyber security
This is how Fireball enters the PC and runs fake search engine and also spy on victims PCsCheck Point

India and Brazil appear to be hit the hardest by the malware, but according to Check Point 5.5 million US users have - and worse, 20 percent of all corporate networks may be, as well.

The United States has witnessed 5.5 million infections (2.2 percent). This means it is installed on victim machines alongside a wanted program, often without the user's consent. "The malware and the fake search engines don't carry indicators connecting them to Rafotech, they can not be uninstalled by an ordinary user, and they hide their true nature", they wrote. According to Alexa's web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is.

While CheckPoint notes that Fireball is a capable browser-hijacker, it is technically sophisticated in anti-detection, using a multi-layer structure and flexible command and control (C&C).

Rafotech spreads its adware by bundling it with legitimate software, sometimes without giving users the opportunity to opt-out of the installation.

Other reports by Click Lancashire

Discuss This Article

FOLLOW OUR NEWSPAPER