Check Point claims to have discovered Fireball malware in 2017 but Microsoft claims that it has been tracking the malware since 2015.
Authorship
The malware has been tracked to a Chinese company called Rafotech. They are a digital marketing agency based in Beijing. They have been bundling it with legitimate software that they provide to users. Some of the programs that Rafotech bundled the Fireball software are Deal WiFi, Mustang Browser, SoSoDesk and FVP Image Viewer. Rafotech claims to have 300 million users worldwide but denies that it uses these fake search engines. Security researchers dispute this claim, noting that Rafotech may have also purchased additional distribution means from other threat actors. Their fake search engines are popular with 14 of them ranked among the top 10,000 websites and some reaching the top 1,000.
Inner workings
Malware has the ability of running any code on victim computers, such as downloading an arbitrary file and hijacking and manipulating infected user's web traffic in order to generate advertisement revenue. It installs plugins and additional configurations to boost its advertisements, and has potential to turn into a distributor for any additional malware. Malware is spread mostly via bundling. It is installed on a victim's machine alongside a wanted program, often without the user’s consent. Digital marketing agency Rafotech has been indicated as producer of the software. The same company has been accused to host fake search engines, which redirect the queries to yahoo.com or google.com. The fake search engines include tracking pixels used to collect private information from users. Fireball manipulates the infected browsers and turn their default search engines and home pages into the above mentioned fake search engines, which enable the software to spy on users of the infected browsers. The Fireball malware does not conform to usual characteristics of bundled software. Check Point asserts, “The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user and they conceal their true nature.” Furthermore, Fireball “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multilayer structure and a flexible C&C.” Another deception is the use of legitimate-seeming Digital certificates. Rafotech’s fake search engines and the malware itself doesn’t carry any identifying marks. The program has the capability to run arbitrary code, download applications and harvest more sensitive information, such as banking and medical details. Cyber criminals could leverage the source code to create new types of malware.
Infections
It is estimated that 250 million computers are infected worldwide. Check Point researches also claim that this malware might have infected computers on 20% of corporate networks, making it a high volume internet threat. According to this source, the highest infection rates were discovered in Indonesia, India and Brazil. It is speculated that the related browser hijackers operations form possibly the largest infection operation in history. Table 1 The top countries that have been infected with the Fireball malware
Country
% infected
Number of infections
Hit Rate
India
10.1%
25.3
43%
Brazil
9.6%
24.1
38%
Mexico
6.4%
16.1
N/A
Indonesia
5.2%
13.1
60%
US
2.2%
5.5
10.7%
There is some dispute to these numbers according to Microsoft, it has been tracking the malware since 2015. Its results are based on the Fireball infections that have been cleaned by Windows Defender and the Malicious Software Removal Tool. Based on the collected data the total infections are 40 million. Check Point researchers used the number of visits to malware-carrying search pages not the device itself.