Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250-million computers worldwide. The installed malware, named Fireball, takes over target browsers, turning them into zombies.
Fireball has two main functionalities: one is the ability of running any code on victim computers and downloading any file or malware, and the other is hijacking and manipulating infected users’ Web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.
This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines which simply redirect the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball can also spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, thus creating a massive security flaw in targeted machines and networks.
KEY FINDINGS
• Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250-million computers worldwide, and 20% of corporate networks.
• The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions ranging from stealing credentials to dropping additional malware.
• Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
• The operation is run by Chinese digital marketing agency.
• Top infected countries are India (10.1%) and Brazil (9.6%)The scope of the malware distribution is quite alarming. According to our analysis, over 250 million computers worldwide are infected: specifically, there are 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). In the United States we have witnessed 5.5 million infections (2.2%).