Rafotech makes a malware as part of an ad scam
Image: Effect Hacking.

On Thursday, Check Point released a report on the discovery of a new Chinese malware called Fireball, made by the marketing firm Rafotech. It is bundled with some of their products, and it is capable of remote code execution and web traffic manipulation.

Researchers from the cyber security firm estimated 250 million computers around the world had been infected with Fireball so far. Countries like the United States, Russia, and China have reported the malware, but developing economies are the most affected according to the report.

Luckily, Fireball is relatively easy to remove from any system, although its strength resides in unaware users who pay no attention to suspicious signals unless it affects their work. Settings restoration and uninstalling it via the control panel should be enough to stay safe.

What is Fireball and how does it work?

Fireball is a piece of malware that serves as Rafotech’s main instrument to capitalize on their ad campaigns. The large-scale operation by the Chinese firm consists of bundling Fireball along with some of their other products, such as Mustang Browser and DEAL WiFi.

In this way, unsuspecting users download the malware, rendering unnecessary other infiltration methods. After it installs, it is capable of running scripts to manipulate web traffic, so it goes through Rafotech’s intended channels instead of others.

The Chinese malware acts like many old-fashioned exploits out there, replacing the browser’s home screen with a proprietary one to track web activity. All results redirect to Google or Yahoo anyway, but the firm can show the user sites that feature their ads.

However, that is not the software’s sole objective. Fireball has the built-in potential to track pixels as well so Rafotech can technically collect any sensitive data it wishes. It is also capable of executing code remotely, download more malware, and so on.

How to know if you are infected with Fireball and how to solve it

Check Point notes that the most Fireball-infected countries are India, Brazil, Mexico, and Indonesia. Out of the 250 million terminals containing the malware, more than 10% of them are in India. Research shows 20% of all corporate networks are affected globally.

If you, a common user, have downloaded any Rafotech software recently or noticed changes in your browsing sessions like the ones described above, then it is possible you might have Fireball crawling under cover of darkness.

To get rid of it, check the extensions on your browser to delete any suspicious add-ons. Restoring the default settings is also advised in case you have a new home page you didn’t set up.

Furthermore, if you got Fireball bundled with other programs, then it is likely the malware is there in your programs list as a nonchalant intruder. Just delete it yourself from the Control Panel and run anti-malware software like MalwareBytes to ensure its complete removal.

Source: Check Point