Fireball: Not Your Typical Adware, Not Your Typical Campaign

Link analysis. IOCs. A threat actor.

How Fireball is linked to IOCs and threat actors ©ThreatLandscape

For SOCs and analysts: IOCs and Holy Kau, a possible threat actor!

List of IOCs and file hashes discovered so far by Check Point

attirerpage.com
s2s.rafotech.com
trotux.com
startpageing123.com
funcionapage.com
universalsearches.com
thewebanswers.com
nicesearches.com
youndoo.com
giqepofa.com
mustang-browser.com
forestbrowser.com
luckysearch123.com
ooxxsearch.com
search2000s.com
walasearch.com
hohosearch.com
yessearches.com
d3l4qa0kmel7is.cloudfront.net
d5ou3dytze6uf.cloudfront.net
d1vh0xkmncek4z.cloudfront.net
d26r15y2ken1t9.cloudfront.net
d11eq81k50lwgi.cloudfront.net
ddyv8sl7ewq1w.cloudfront.net
d3i1asoswufp5k.cloudfront.net
dc44qjwal3p07.cloudfront.net
dv2m1uumnsgtu.cloudfront.net
d1mxvenloqrqmu.cloudfront.net
dfrs12kz9qye2.cloudfront.net
dgkytklfjrqkb.cloudfront.net
dgkytklfjrqkb.cloudfront.net/main/trmz.exe
FAB40A7BDE5250A6BC8644F4D6B9C28F
69FFDF99149D19BE7DC1C52F33AAA651
B56D1D35D46630335E03AF9ADD84B488
8C61A6937963507DC87D8BF00385C0BC
7ADB7F56E81456F3B421C01AB19B1900
84DCB96BDD84389D4449F13EAC75098
2B307E28CE531157611825EB0854C15F
7B2868FAA915A7FC6E2D7CC5A965B1E

In addition to all discovered IOCs, ThreatLandscape has been able to find quite a few additional ones and possible threat actor by the name of Yuli Kau.

Fireball link analysis graph by ThreatLandscape identifies one Yuli Kau as a threat actor. High-res image at https://goo.gl/QeBhM9

List of additional IOCs and a possible threat actor discovered by ThreatLandscape

d2hrpnfyb3wv3k.cloudfront.net
d11m2p9mpffp32.cloudfront.net
funnysiting.com
iminentsearch.com
searchesspace.com
searcheszone.com
tab4you.com
ourstartpage.com
searchvvay.com
sparkbackend.com
giqepofa.com
searchinme.com
fullsearching.com
deskick.com
firefox1.com
pagesnotfound.com
brobgser.com
firefox6.net
rafotech.com
firefox6.com
bysenda.com
dealwifi.com
neterrors.com
didisearch.com
ghokswa.com
firefox1.org
firefox1.net
*.rafomedia.com
rafoservice.com
aojaso.com
newsearch123.com
everysearches.com
Yuli Kau

Backstory: Is it a drink? Is it a song? No, it’s a tricky malware!

Fireball is anything but an innocuous song or a whisky. A browser-hijacking malware, it has already infected over 250 million computers worldwide in a threat operation run by Chinese digital marketing agency Rafotech.

Rafotech’s homepage on June 1. The site was down at the time of writing of this report.

Check Point Software first reported it a week ago warning that the malware “can be turned into a full-functioning malware downloader”. As of 24 hours ago, 20 percent of all corporate networks had been infected with Indonesia, India, and Brazil amongst the top countries affected.

How It Works

Fireball is the latest in a popular malware category called browser-hijackers. It turns web browsers into ad-revenue generating zombies, changing default search engine and homepage settings to pass user requests through fake search engines and eventually redirects them to Yahoo or Google. Fireball’s interesting in that it drops a tracking pixel in these fake search engines to collect user info. It is a dark testimony to Fireballs’ spread and efficacy that 14 of Rafotech’s fake search engines have ranked among the top 10,000 websites with some reaching top 1000 worldwide.

How It Spreads

The infection vector in Fireball’s case is harmless software that you may want to download and install. Rafotech has cleverly bundled the malware with freeware like Deal WiFi and Mustang Browser. When any of these programs is installed, Fireball secretly installs itself without the user’s consent. It is also believed Rafotech may have bought installs by threat actors and bundled with as yet unknown freeware or spamware.

How It Communicates

Fireball’s associated domains are mostly behind Cloudflare’s (and in some cases, Amazon’s Cloudfront’s) services which act as content delivery networks (CDNs) hiding the actual IP address behind them. This is yet another trick the creators of Fireball play to avoid takedowns. Till date, Roftech has not admitted it owns these fake search engines or domains.

Why Fireball Is A Serious Threat

Unlike typical adware, Fireball is much more threatening because of what it could do. Infected computers can be turned into botnets or harvest Personally Identifiable Information (PII) like credit card data and authentication credentials to be potentially sold to the highest bidder on the dark web. It can also be turned into a very effective distributor of additional malware or run any malicious code that Rafotech wants.

ThreatLandscape is a Cyber Threat Intelligence start-up using Machine Learning and advanced NLP techniques with a mission to help governments and enterprises preempt threat mitigation.