A newly discovered piece of malware managed to infect more than 250 million computers in a widespread campaign run by a Chinese digital marketing agency, Check Point researchers warn.
Dubbed Fireball, the malware can take over the targeted browser, run arbitrary code on a victim’s computer, and spy on victims. Thus, its operators can download any file or malware onto the machine, and can also manipulate the infected user’s web traffic to generate ad revenue.
“Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware,” Check Point says.
The campaign, the security company reveals, is run by a large digital marketing agency based in Beijing, called Rafotech. With the help of this malware, the agency manipulates the victims’ browsers to turn search engines and home-pages into fake search engines, redirect queries to Yahoo.com or Google.com, and collect victims’ private information via tracking pixels included in the fake search engines.
Rafotech’s fake search engines have high popularity, with 14 of them ranked among the top 10,000 websites, some occasionally reaching top 1,000. Despite denying the use of browser-hijackers and fake search engines, Rafotech claims to have 300 million users worldwide, a number similar to the estimated infections.
To date, Fireball has infected over 250 million computers worldwide, being distributed mainly bundled with legitimate programs. India (25.3 million infections) and Brazil (24.1 million) were hit the most, followed by Mexico (16.1 million), and Indonesia (13.1 million). A total of 5.5 million infected machines are located in the United States.
Check Point also says that 20% of all corporate networks have been affected. Indonesia (60%), India (43%) and Brazil (38%) were hit the most. The hit rate in the US is of 10.7%, while reaching only 4.7% in China.
Related reading: China, U.S. Most Affected by WannaCry Ransomware
As a browser-hijacker, Fireball is capable of driving victims to malicious sites, spying on them, and also successfully dropping malware onto their machines. The malware also “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C,” Check Point says.
Thus, Fireball provides Rafotech with a potent backdoor that can be further exploited, the security researchers point out.
By using digital certificates, Fireball’s distribution can appear legitimate, and “Rafotech carefully walks along the edge of legitimacy,” Check Point says. For that, the company uses bundling, where a wanted program installs additional software, either with or without user’s consent.
Rafotech’s distribution methods, however, don’t follow criteria that would allow for them to be considered legal. The malware and the fake search engines, on the other hand, don’t carry indicators that could connect Rafotech to them. They can’t be uninstalled by an ordinary user either, and they conceal their true nature.
For distribution purposes, the malware is believed to be bundled with other Rafotech products, such as Deal Wifi and Mustang Browser, or with products such as “Soso Desktop”, “FVP Imageviewer” and other software from freeware distributors. The distribution of freeware under fake names, spam, or even buying installs from threat actors might have also helped Rafotech in its distribution efforts.
“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes,” Check Point says.
Other browser-hijackers that behave similarly have been also discovered, including one designed by ELEX Technology, a company that builds software similar to that of Rafotech’s and supposedly related to it (either in the distribution of hijackers or in the trading of customer data).
Having a great sensitive information-harvesting potential, Fireball and similar browser-hijackers can pose a huge threat to users and organizations worldwide, provided that Rafotech (or a similar company) decides to indeed gather user information. It could steal banking and credit card credentials, medical files, patents and business plans, and other type of sensitive information.
“Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years,” Check Point says.
While this is not a typical malware attack, the campaign has a huge potential to cause harm, and should be blocked, the security company says. Check Point also provides instructions on how users can remove the malware and add-ons from their machines (for both Windows and Mac users).
Related: This Stealthy Malware Remained Unnoticed for Three Years
Related: Linguistic Analysis Suggests WannaCry Authors Speak Chinese