Check Point identifies "Fireball" malware as a high volume threat operation originating from China

A new malware by the name of ‘Fireball’ has been identified by the Check Point Threat Intelligence and research team as a high volume Chinese threat operation which has infected over 250 million computers worldwide.

Much like the ‘WannaCry’ ransomware , which has recently plagued the world, Fireball also infects the host CPU and turns them into Zombies. Fireball has three main functionalities which are the ability of running any code on victim computers, downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue.

The operation is being currently run by Rafotech, a digital marketing agency based in China. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.

From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C, pointing to evidence that it is not inferior to a typical malware.

Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines. The topmost infected countries are India (10.1%) and Brazil (9.6%). According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

The Indian Computer Emergency Response Team has issued a red alert advisory on the Fireball malware and has put up detailed instructions on how to identify if your computer has been infected. Telltale signs include a different home page and search engines than the one you have been using in the browser.

Published Date: Jun 04, 2017 13:22 PM | Updated Date: Jun 04, 2017 13:22 PM