A new malware going by the name Fireball has been detected on the wild infecting millions of computers worldwide. The malware takes control of an infected computer’s browser and adds it to its botnet’s network. According to security analyst at Check Point, the malware appears to be of Chinese origins and has infected over 250 billion computers worldwide with 20% of affected computers in corporate networks. The malware Fireball has been spotted predominantly in India, Brazil, and Mexico.
The malware operation originated from a Chinese digital marketing firm named Rafotech. Fireball operates as a browser hijacker, capable of taking control of users’ web browser. It also can download and install more payloads of malicious software. Fireball spreads itself via bundling, meaning it installs itself alongside a wanted program without the user’s knowledge or consent.
So far, the primary purpose of Fireball is to redirect users browsers into fake search engines to increase Rafotech’s ad-revenue. The campaign seems to have yielded success given that Rafotech’s fake search engines are ranking in the top 10000 websites in Alexa’s ranking. The fake search engine also has tracking pixels which can be used to collect user information. Another feature of Fireball is the ability to download and run malicious code ordered by its C&C server. Analysts at Check Point state that the malware has a high amount of sophistication and the potential to cause significant damage.
“From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware. Many threat actors would like to have a fraction of Rafotech’s power, as Fireball provides a critical backdoor, which can be further exploited.”
The Fireball incident is the second worldwide malware attack this year after the Wannacry incident. Not only that but the scope of this infection can be the largest one in history. This trend will likely continue throughout this year as predicted by Verizon’s DBIR, especially since The Shadow Brokers have not even released their July NSA exploit leak yet. If we do not adapt this year and implement some large security contingency plans, then we will all be in some deep covfefe.