After the WannaCry ransomware attack, checkpoint researcher has found a Chinese based threat operation called “FIREBALL”. The FIREBALL malware has affected more than 250 million computers across the globe, India being the most affected one contributing 10 percent. The malware is run by a Beijing based company called Rafotech. who sells digital stuffs and mobile game apps. Ironically, “although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency. Reaching 300 million users worldwide – coincidentally similar to our number of estimated infections” says the checkpoint.

What does FIREBALL do?

Fireball has two main functionalities:

  • The ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue.
    Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware. Fireball is mainly used to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either or The fake search engines include tracking pixels used to collect the users’ private information. It mainly spreads through a process called bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.
  • Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and can literally run any code on your computer without your consent. Please note that currently Rafotech uses Fireball only for generating fake internet traffic, but it can perform any typical action of a malware.  You can understand the seriousness of the problem based on the following line by the security firm: “Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more.


How to know whether you are infected and remove it?

It’s pretty simple. Open your browser and see which your homepage. If the pages set by you are not loading then try resetting, if it still doesn’t work there is a very good chance that you have been infected. You can also check for the extensions which you haven’t installed. you can remove it by uninstalling any newly installed adware, suspicious programs and browser add-ons. Restore default settings in your browser. Remove all unwanted files from your system and stay protected.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.