New browser-hacking malware turns 250 million computers into 'zombies'
About 250 million computers have been infected worldwide by a high volume Chinese threat operation that hijacks web browsers and turns computers into ‘zombies,’ according to a Check Point report released Thursday.
The operation, run by Chinese digital marketing firm Rafotech, uses the malware to manipulate the victim’s browsers and change default search engines and homepages into fake search engines.
Twenty percent of all infections are on corporate networks, with about 5.5 million infected computers in the U.S. -- or about 2.2 percent of all attacks. India and Brazil were the hardest hit, with 25.3 million (10.1 percent) and 24.1 million (9.6 percent) respectively.
While the report didn’t break down infected countries by industry, healthcare security leaders should add this newest outbreak to their threat intelligence radar and monitor for any developments.
The malware, Fireball, acts as a browser hijacker, but can evolve into a full-functioning malware downloader. Researchers said it’s capable of executing any code on the victim machines, which can allow the hacker to steal credentials, among other capabilities.
It installs plugins and other configurations designed to boost the malware’s advertisements, but can easily become a primary distributor for any additional malware. It’s spread mostly through bundling: installed on the victim’s computer packaged with a desired program -- often without a user’s consent.
Fireball is also capable of spying on its victims and execute malicious code, which creates a massive security flaw in targeted networks. Researchers said Rafotech can use this malware strain to harvest sensitive information from all infected machines, which can then be sold to threat groups or competitors.
During its research, Check Point found other browser hijackers likely developed by other companies. Several of the researchers' findings point to some of these companies working together to distribute the malware for a broader reach.
“[The operation is] possibly the largest infection operation in history,” researchers said. “We believe that although this isn’t a typical malware attack campaign, it has the potential to cause irreversible damage to its victims, as well as worldwide internet users, and therefore it must be blocked by security companies.”
“The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem,” they said.