New malware hit more than 250 million computers in a widespread campaign run by a Chinese digital marketing agency, researchers said.

The Fireball malware can take over the targeted browser, run arbitrary code on a victim’s computer, and spy on victims, said researchers at Check Point.

Fake PDFs Trigger Ransomware
New Ransomware Decryptor Unveiled
Victims Would Pay Ransom: Report
Mobile Ransomware Continues to Grow

Its operators can download any file or malware onto the machine, and can also manipulate the infected user’s web traffic to generate ad revenue.

“Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware,” Check Point researchers said in a blog post.

Schneider Bold

The campaign is run by a large digital marketing agency based in Beijing, called Rafotech, Check Point researchers said. With the help of this malware, the agency manipulates the victims’ browsers to turn search engines and home-pages into fake search engines, redirect queries to or, and collect victims’ private information via tracking pixels included in the fake search engines.

Rafotech’s fake search engines have high popularity, with 14 of them ranked among the top 10,000 websites, some occasionally reaching top 1,000. Despite denying the use of browser-hijackers and fake search engines, Rafotech claims to have 300 million users worldwide, a number similar to the estimated infections.

To date, Fireball has infected over 250 million computers worldwide, being distributed mainly bundled with legitimate programs. India (25.3 million infections) and Brazil (24.1 million) were hit the most, followed by Mexico (16.1 million), and Indonesia (13.1 million). A total of 5.5 million infected machines are in the United States.

Check Point also said 20 percent of all corporate networks have been affected. Indonesia (60 percent), India (43 percent) and Brazil (38 percent) were hit the most. The hit rate in the US is of 10.7 percent, while reaching only 4.7 percent in China.

Fireball is capable of driving victims to malicious sites, spying on them, and also successfully dropping malware onto their machines. The malware also “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C,” Check Point said.

Check Point researchers provided instructions on how users can remove the malware and add-ons from their machines (for both Windows and Mac users).

“We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies,” said Check Point researchers.

“The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem,” they said. “With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.”

Pin It on Pinterest

Share This