Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide.
The installed malware, that we named Fireball, takes over target browsers, turning them into zombies. Fireball has two main functionalities: one is the ability of running any code on victim computers and downloading any file or malware, and the other is hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.
This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines which simply redirect the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball can also spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, thus creating a massive security flaw in targeted machines and networks.
· Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks.
· The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions ranging from stealing credentials to dropping additional malware.
· Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
· The operation is run by Chinese digital marketing agency.
· Top infected countries are India (10.1%) and Brazil (9.6%)
250 MILLIONS MACHINES AND 20% OF CORPORATE NETWORKS WORLDWIDE INFECTED
The scope of the malware distribution is quite alarming. According to our analysis, over 250 million computers worldwide are infected: specifically, there are 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). In the United States we have witnessed 5.5 million infections (2.2%).
Based on Check Point’s global sensors, the percentages of affected corporate networks are even higher: 20% of all corporate networks. Hit rates in the US (10.7%) and China (4.7%) are alarming, and even more so in Indonesia (60%), India (43%) and Brazil (38%).
Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.
Ironically, although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally similar to our number of estimated infections.
A BACKDOOR TO EVERY INFECTED NETWORK
Fireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software (see the GOING UNDER THE RADAR section), and half malware. Although Rafotech seemingly uses Fireball only for advertising and initiating traffic to its fake search engines, it actually can perform any action on the victims’ machines, which can have serious consequences. How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more.
These browser-hijackers are all capable on the browser level. This means that they can drive victims to malicious sites, spy on them and conduct successful malware dropping.
From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C, it is not inferior to a typical malware. Many threat actors would like to have even a fraction of Rafotech’s power, as Fireball provides a critical backdoor, which can be further exploited.
GOING UNDER THE RADAR
While the distribution of Fireball is both malicious and illegitimate, it actually carries digital certificates imparting them a legitimate appearance. Confused? You should be.
Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. How is that? Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the instalment of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.
This grey zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.
According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature.
So how do they carry digital certificates? One possibility is that issuers make their living from providing certificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to approve software such as Rafotech’s browser-hijackers.
THE INFECTION MODEL
As with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors are bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via other freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others.
It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes.
Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.
As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.
HOW CAN I KNOW IF I AM INFECTED?
To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?
If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious.
THE RED BUTTON IN THE WRONG HANDS
It doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of its infected machines, and sell this data to threat groups or business rivals. Banking and credit card credentials, medical files, patents and business plans can all be widely exposed and abused by threat actors for various purposes. Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years.
Rafotech holds the power to initiate a global catastrophe and it is not alone. During our research we’ve tracked down additional browser-hijackers that, to our understanding, were developed by other companies. One such company is ELEX Technology, an Internet Services company also based in Beijing that produces products similar to those of Rafotech. Several findings lead us to suspect that the two companies are related, and may be collaborating in the distribution of browser-hijackers or in trading customers’ traffic. For example, an adware developed by ELEX, named YAC (“Yet Another Cleaner”) is suspected to be connected to Rafotech’s operation, dropping its browser-hijackers.
In this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation in history. We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies.
The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.
HOW DO I REMOVE THE MALWARE, ONCE INFECTED?
To remove almost any adware, follow these simple steps:
1. Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.
For Mac OS users:
a. Use the Finder to locate the Applications folder.
b. Drag the suspicious file to the Trash.
c. Empty the Trash.
Note – A usable program is not always installed on the machine and therefore may not be found on the program list.
2. Scan and clean your machine, using:
· Anti-Malware software
· Adware cleaner software
3. Remove malicious Add-ons, extensions or plug-ins from your browser:
Cons exploit Telegram ICO
Kaspersky Lab researchers have uncovered dozens of highly convincing fake websites claiming to be investment sites for an initial coin offering (ICO) by the Telegram messaging service. Many of these websites appear to belong to the same group. In one case alone, tens of thousands of US dollars’ worth of cryptocurrency were stolen from victims believing they were investing in ‘Grams’, Telegram’s rumoured new currency. Telegram has not officially confirmed an ICO and has warned people about fraudulent investor sites.
In late 2017, stories started to circulate that the Telegram messaging service was launching an initial coin offering (ICO) to finance a blockchain platform based on its TON (Telegram Open Network) technology. Unverified technical documentation was posted online, but there appears to have been no confirmation from Telegram itself. The resulting confusion seems to have allowed fraudsters to capitalise on investor interest by creating fake sites and stealing vast sums of money.
Kaspersky Lab researchers have discovered dozens of such sites, possibly belonging to the same group, claiming to sell tokens for ‘Grams’ and inviting investors to pay with cryptocurrencies including Bitcoin, Ethereum, lice litecoin, dash and Bitcoin dash. A record of transactions on one site revealed that the scammers were able to steal at least $35,000 US dollars’ worth of Ethereum from investors.
The researchers found that some of the websites were so convincing that even after Telegram and others began to issue warnings, they were still able to recruit potential investors. Most use a secure connection, require registration and generate a unique online wallet for each new victim, making it harder to track the money.
Judging by the content of the fake websites, it appears they may have common ownership. For example, several have the exactly the same ‘Our Team’ section.
“ICOs are a fairly risky investment and many people don’t yet fully understand how they work, so it is not surprising that high quality fake websites, with seemingly reassuring features such as a secure connection and registration are successful at luring people in. People wishing to invest in an ICO would do well to check with the company behind it and make sure they know exactly who they are giving their money to, or they may never see it again,” said Nadezhda Demidova, Lead Web-Content Analyst, Kaspersky Lab.
Kaspersky Lab offers the following advice for users considering investing in an ICO:
- Check for warning signs: for example, some of the fake Telegram ICO websites had the same wrong image next to the name of Telegram’s Chief Product Officer.
- Do your homework: always check with the brand’s official site to verify the legitimacy of the investment site and, if necessary contact the company’s ICO teams before investing any money or currency.
- Use reliable security solutions such as Kaspersky Internet Security and Kaspersky Internet Security for Android, which will warn you if you try to visit fake internet pages.
Crouching Yeti strikes
Kaspersky Lab has uncovered infrastructure used by the Russian-speaking APT group Crouching Yeti, also known as Energetic Bear, which includes compromised servers across the world.
According to the research, numerous servers in different countries were hit since 2016, sometimes in order to gain access to other resources. Others, including those hosting Russian websites, were used as watering holes.
Crouching Yeti is a Russian-speaking advanced persistent threat (APT) group that Kaspersky Lab has been tracking since 2010. It is best known for targeting industrial sectors around the world, with a primary focus on energy facilities, for the main purpose of stealing valuable data from victim systems. One of the techniques the group has been widely using is through watering hole attacks: the attackers injected websites with a link redirecting visitors to a malicious server.
Recently Kaspersky Lab has discovered a number of servers, compromised by the group, belonging to different organisations based in Russia, the U.S., Turkey and European countries, and not limited to industrial companies. According to researchers, they were hit in 2016 and 2017 with different purposes. Thus, besides watering hole, in some cases they were used as intermediaries to conduct attacks on other resources.
In the process of analysing infected servers, researchers identified numerous websites and servers used by organisations in Russia, U.S., Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack. Some of the sites scanned may have been of interest to the attackers as candidates for waterhole. The range of websites and servers that captured the attention of the intruders is extensive. Kaspersky Lab researchers found that the attackers had scanned numerous websites of different types, including online stores and services, public organisations, NGOs, manufacturing, etc.
Also, experts found that the group used publicly available malicious tools, designed for analyzing servers, and for seeking out and collecting information. In addition, a modified sshd file with a preinstalled backdoor was discovered. This was used to replace the original file and could be authorised with a ‘master password’.
“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organisations through watering hole attacks, among other techniques. Our findings show that the group compromised servers not only for establishing watering holes, but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” said Vladimir Dashchenko, Head of Vulnerability Research Group at Kaspersky Lab ICS CERT.
“The group’s activities, such as initial data collection, the theft of authentication data, and the scanning of resources, are used to launch further attacks. The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties,” he added.
Kaspersky Lab recommends that organisations implement a comprehensive framework against advanced threats comprising of dedicated security solutions for targeted attack detection and incident response, along with expert services and threat intelligence. As a part of Kaspersky Threat Management and Defense, our anti-targeted attack platform detects an attack at early stages by analysing suspicious network activity, while Kaspersky EDR brings improved endpoint visibility, investigation capabilities and response automation. These are enhanced with global threat intelligence and Kaspersky Lab’s expert services with specialisation in threat hunting and incident response.
More details on this recent Crouching Yeti activity can be found on the Kaspersky Lab ICS CERT website.