First WannaCry, now Fireball

First WannaCry, now Fireball

Threat intelligence and research teams from cyber security firm Check Point recently discovered a high volume Chinese threat operation behind an installed malware called Fireball which is said to have infected over 250 million computers worldwide – and 20% of corporate networks.

According to the cyber security company Fireball can run any code on victim computers and download any file or malware; as well as hijack and manipulate infected users' web-traffic to generate ad-revenue.

Fireball is said to spread mostly via bundling or installed on victim machines alongside a wanted program, often without the user's consent. "It takes over target browsers, turning them into zombies," reads a statement issued by Check Point.

The company estimates that 38.43% of the corporate networks in South Africa has at least 1 infected machine in their network.

Infection rates across other African countries: Angola - 73.08%; Nigeria - 59.02%; Uganda - 57.89%; Kenya - 51.56%.

"Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware," the company says.

"This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims' browsers and turn their default search engines and home-pages into fake search engines which simply redirect the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users' private information. Fireball can also spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, thus creating a massive security flaw in targeted machines and networks," Check Point continues.

The cyber security firm has confirmed that there are no parallels that can be drawn between Fireball and WannaCry, but the research does show a general increase in malware.

Read more