Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.
The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”
Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.
The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.
The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.
Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.
The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.
Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.