A high volume “Chinese malware named Fireball infected over 250 million computers worldwide out of which 20% were corporate networks“, reported Check Point, a San Carlo and Tel Aviv-based security software company. The malware that takes over browsers can turn them into what the security company calls ‘zombie‘, a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse.
The infections were first detected a few months ago and reported last month by Check Point.
— Stephanie Thomaston (saSHA) (@sthomastons) June 14, 2017
Who Was Behind The Malware Attack?
Check Point named Rafotech, a large digital marketing agency based in Beijing to have been behind the malware. This is one of the few instances where security researchers were able to identify the organization behind the spread of malware. Mostly, these are loosely-knit groups of hackers and hobbyists who break into systems.
How Does It Spread?
It adopts the most pervasive malware spreading method of ‘bundling’ it with legitimate software.
The malware is said to initially take over a target’s browser and then latched on to the system by acting as a ‘malware downloader’ capable of executing code on that machine. This may result in additional malware being planted to the system or stealing credentials.
Who Was Hit Hardest?
India, Brazil, Mexico, Indonesia, and the USA were among the countries hit hardest by the malware.
Out of the 250 million machines that got infected by the malware, 25.3 million were in India, 24.1 million in Brazil, 16.1 million in Mexico, 13.1 million in Indonesia followed by The United States that witnessed 5.5 million infections, recorded Check Point.
That’s pretty much everyone.
What’s The Motive Behind The Malware?
The malware gives its owners the ability to run any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web traffic to generate ad revenue.
Or it could be outright stealing of credentials and infecting users with other malicious malware. I recall having accidentally installed an adware (I presume it was a malware the way it behaved on my machine). It did several nasty things to my laptop including but not limited to query routing, changed the default search engine, caused some words in a web page to be underlined and hyperlinked, and the system slows down. It only went away after a lot of troubleshooting. The malware went away but took with it the Microsoft Edge browser which doesn’t run on my machine anymore.
Or it could be more dangerous than that. Recently, IDT Corporation was hit by a ransomware cyber attack but the real motive behind the attack was stealing employee credentials. The ransomware was only an attempt to mask the real attack. That’s what Check Point wrote in the research it did on Rafotech’s browser hijacking malware. The security software company fears that the Chinese company might use its penetration power to infect computers with more sophisticated and advanced malware.
I recall having accidentally installed an adware (I presume it was a malware the way it behaved on my machine). It did several nasty things to my laptop including but not limited to query routing, changed the default search engine, caused some words in a web page to be underlined and hyperlinked, and the system slows down. It only went away after a lot of troubleshooting. The malware went away but took with it the Microsoft Edge browser which doesn’t run on my machine anymore.
And, when I read the research by Check Point describing how Rafotech’s browser-hijackers operation works, I’m sure I was one of the victims.
Is it something new? Probably not. How many of us know what happens behind the scenes when we install a non-trusted freeware. The research by Check Point doesn’t come as a surprise to the knowledgeable. According to IC3 (Internet Crime Complaint Center), the most prevalent internet crime sources are business email compromise, ransomware, and tech support fraud.