Check Point on the track of malware Fireball, which turns browsers into "zombies".

The Check Point Software Technologies research team has discovered a recent major malware operation that has managed to infect over 250 million computers around the world. Installed malware, which Check Point called Fireball, takes over Internet browsers turning them into "zombies".

Fireball has two basic functions - the first is the ability to run arbitrary code on victims' computers and download any file or malware, while the second is to take over the device and manipulate the Internet traffic of infected users in order to generate advertising revenue. Currently, Fireball focuses on installing plug-ins and additional configurations to increase the views of your ads, however, it can easily turn into a leading distributor of any malicious software.

The whole operation is carried out by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate victim browsers, setting the homepage and search engine to a fake search engine that simply redirects queries to or

Fake search engines have so-called "Tracking pixels" for collecting private information about users.

Fireball can also spy on victims, effectively install malware and run arbitrary malicious code on infected machines, creating a wide gap in the security of devices and networks.

250 million machines and 20% of corporate networks are infected all over the world

The distribution range is alarming. According to Check Point's analyzes, over 250 million computers around the world have been infected. Up to 25.3 million infections occurred in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), 13.1 in Indonesia (5, 2%). In the USA, 5.5 million infections were observed (2.2%).

Another indicator of an incredibly high infection is the popularity of fake search engines by Rafotech. According to the Alexa Internet traffic data, 14 of these fake search engines are among the 10,000 most popular websites, and some of them reach the top position in the Top 1000 list.

Global infection rate.

Ironically, although Rafotech does not admit creating browser modifiers and fake search engines, he is proud to announce a successful marketing agency reaching 300 million users worldwide - a number, probably by chance, similar to the estimated infections detected by Check Point.

Rafotech advertisement on the official website.

Backdoor to every infected network

Fireball and similar modifiers, or, if you prefer, browser-hijackers, are hybrid creations, half-looking for ordinary, harmless applications and half-malware. Although Rafotech seems to use Fireball only to display advertisements and direct Internet traffic to its fake search engines, Rafotech has the ability to do anything on victims' devices, which can have serious consequences. How serious? Let's try to imagine a plane for spraying plants armed with an atomic bomb. Yes, it can do its job, but it can also do a lot more.

All browser hijackers work at the browser level. This means that they can redirect victims to malicious websites, spy on them, and download malware. From a technical point of view, Fireball is very complex, it has advanced anti-detection techniques, a multi-layered structure and flexible C & C, not surpassing typical malicious software. Many virus writers would like to achieve at least a fraction of Rafotech's software capabilities, because Fireball has a critical vulnerability to further exploit.

Undetectable for radars

Although Fireball spreads in a malicious and illegal manner, it also has digital certificates confirming its authenticity.

Rafotech acts cautiously on the edge of legality, knowing that the dissemination of adware (applications displaying advertisements) is not seen as a crime, as opposed to the spread of malicious software. Why? Many companies provide their software or services for free, earning money by collecting their clients' data or displaying advertisements. If the customer agrees to install the software on his computer, it is difficult to prove to the provider the illegal activity.

The existence of this shadow economy has led to the emergence of a new way of earning - bundle-package. Bundling is based on the fact that the application downloaded by the user installs another application on occasion, sometimes with the user's consent and sometimes without.

Rafotech uses bundling to spread the Fireball app.

Bundling in action.

According to Check Point's analysis, Rafotech's distribution methods can not be considered legal. Malicious software and fake search engines do not have information linking them to Rafotech, hiding their real purpose, and the ordinary user can not uninstall them.

So how do they have legal digital signatures? Perhaps the company that issued the certificate is a small publisher bending the rules of ethics, using the lack of clear criteria of legality in the world of adware.

The way of infection

As with other types of malware, there are several ways that Fireball can spread. Check Point suspects that the most common way of attack is to install it in a package along with other Rafotech products: Deal Wifi and Mustang browsers along with free applications from other distributors, such as Soso Desktop or FVP Imageviewer.

Please note that additional malware does not have to be installed when the basic application is installed. If you download suspect freeware and nothing happens immediately, it does not necessarily mean that nothing happens behind the scenes. What's more, Rafotech most probably also uses additional distribution methods, such as distributing freeware under false names, spam or buying installations from criminals.

As with everything on the Internet, you have to remember that there is nothing for free. If you download the free application, you use free services (eg streaming, downloading files), the provider must somehow earn money. If the source is not an advertiser, it must be somewhere else.

Is my computer infected?

To check if your computer has been infected, check:

  • Home page. Is your homepage set up? Can you change it? Do you recognize your default search engine and do you also have the option to change it?
  • Installed plugins. Do you recognize all installed browser plugins?

If the answer to any of the questions was "No", it is a sign that your computer could fall victim to malware. You can also use a proven antivirus just in case. If you do not know which one to decide on, read our test .

To remove the threat, it is necessary to diagnose the computer's condition. Regardless of the operating system, as in similar cases, simply uninstall adware. Then, scan your computer and remove any malicious plugins.; Rafotech's fake search engine.

Red button in bad hands

It does not take much to imagine a scenario in which Rafotech decides to collect sensitive data from all infected machines and then sell them to competitors or criminals. Bank login details, credit card numbers, medical data, patents or business plans can be used by unauthorized persons for various purposes.

Based on the estimated number of infections, approximately one in five companies would fall victim to a large data leak. The key organizations, the largest service providers, would suffer from the critical infrastructure sectors and in medical facilities. Potential losses are indescribable, repairing the damage to such a data leak (if it would have been possible at all) would last for years.

Rafotech has the ability to trigger a global disaster, but not only it. During the research, other browser hijackers were found, which, according to Check Point's analyzes, were written by various companies. One of them is ELEX Technology, a provider of Internet services from Beijing. Several leads indicate that these companies are connected and can cooperate with each other in disseminating their programs and trading customers' online traffic. For example, adware written by ELEX called YAC (YetAnother Cleaner), most likely supports Rafotech.


According to Check Point, although it is not a typical attack of malicious software, it can potentially damage irreparable damage to its victims and all Internet users in the world - and therefore should be blocked by security companies.

The final scale of Fireball prevalence is not yet known, but it is obvious that it is a huge threat to global cyberspace. A quarter of infected devices and every fifth company network show that Rafotech's activities pose great danger.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.