As enterprises and organizations recover from the recent WannaCry ransomware attack, a new malware onslaught rears its ugly head. Fireball, a newly discovered and remarkably rampant strain of malware, has already infected up to a quarter of a billion devices.
Kelly Sheridan of Dark Reading, citing Check Point research, reports that Fireball "has infected 250 million computers and 20% of corporate networks around the world." The malware seems to originate from Rafotech, a Chinese digital marketing agency that serves adware. To illustrate the pervasiveness of Fireball: According to Alexa's web traffic data, 14 Rafotech-associated fake search engine pages are among the top 10,000 most-visited websites.
A Cyber Security Disaster in the Making
This malware, which Dark Reading, the International Business Times, and Check Point all describe as adware, has the potential to cause a widespread cyber security disaster. At the moment, Rafotech is using Fireball merely to collect data, redirect search queries, and make money off unwitting users. Though that's malicious enough already, Fireball has the potential to be much, much more dangerous.
Sheridan writes, "While Rafotech is currently using Fireball for data collection and monetary gain, the malware provides a backdoor that can be exploited for further attacks. ... Fireball can also execute code on [a] device to steal information or drop more malware."
How Fireball Spreads
Researchers at Check Point are not yet sure how Fireball spread to so many devices (per Dark Reading), but it may work by "bundling itself to seemingly legitimate software," as Jason Murdock of the International Business Times writes.
However it spreads, Fireball is yet one more example of why it is necessary to scan all downloaded files and software for potentially malicious executables.
Additionally, IT administrators need the ability to block unauthorized executables from entering organizational networks, even if the files are seemingly legitimate.
Catching Fireball
MetaDefender Cloud, OPSWAT's application and threat intelligence platform, identified malicious Fireball files as early as March 13, 2017:
| FILE TYPE | MD5 | SHA1 | SHA256 | ENGINES DETECTING THREATS | DATE LAST SCANNED | DETAILS |
| Microsoft Windows Installer | B414711E0E51CCB024CBD7FB9D4D9AA4 | 9B933F06D82F9B85D4563E3B09E5FE2D798C2848 | 4A8E441C1E0A224827BB6552761A5AB8075EC6497EF90DA5AB14AD31D916548A | 23/38 | 2017-03-13 | Link |
| Win32 Executable MS Visual C++ | B56D1D35D46630335E03AF9ADD84B488 | CC725869679E5C8C4B7FCDFFE98BCD4D612A909A | C7244D139EF9EA431A5B9CC6A2176A6A9908710892C74E215431B99CD5228359 | 15/40 | 2017-06-01 | Link |
| Win64 Executable | 84DCB96BDD84389D4449F13EAC750986 | 3C812EA95AA6A2234548814B5447C2AC786DAA30 | F964A4B95D5C518FD56F06044AF39A146D84B801D9472E022DE4C929A5B8FDCC | 14/40 | 2017-06-01 | Link |
| Win64 Executable | 7B2868FAA915A7FC6E2D7CC5A965B1E7 | 250A8BD174403E32AD77F7E710E7165E7DF40A47 | E4D4F6FBFBBBF3904CA45D296DC565138A17484C54AEBBB00BA9D57F80DFE7E5 | 15/40 | 2017-06-01 | Link |
MetaDefender Cloud uses multi-scanning to identify known and unknown threats more quickly. "Multi-scanning" means scanning files quickly and efficiently with up to 40 anti-malware engines that use both signature and heuristic detection. Learn more about this proprietary OPSWAT technology here.
