Fireball is a Chinese based malware that affected over 250 million computers. This malware was discovered by Check Point threat intelligence and research team which ascertained that a high volume of the Chinese threat operation had affected millions of computers worldwide (Morris, 2017). The fireball malware usually “takes targeted browsers and alter them to zombies” (Morris, 2017). Fireball malware tends to have two functionalities. First, this malware can run any code on the targeted computer. This leads to the downloading of any file or and manipulating the infected user and generate the ad-revenue. Moreover, this malware install plug-ins and the configuration to foster its advertisements.
What sector did it affect
Fireball malware targeted the corporate sector networks. Over 250million computers which represent 20% of the corporate networks across the world were affected. The hit rates in the US alone were 10.7%, China 4.75, 14% in India and 385 in Brazil (Morris, 2017). This was a massive infection which the malware caused to the corporate sector. The corporate sector was the target because of the high level of exchange and thus, attacking the networks would earn the attacker good cash. Moreover, some of the corporate computers are not well-guarded, and thus the attacker focused on these networks other than focusing on the government’s networks. Besides, the corporate sector was the target because it has the largest network. Therefore, finding some details from various corporations was easy. The attacker would collect information from various unsuspecting forms and launch attacks on their computers. The attacker also found the corporate network more vulnerable in comparison to the government networks. Tracing the attacker on a large network is hard. However, the authorities can easily trace an attacker on the government networks, and heavy measures can be leveled against the perpetrators.
What are the indicators of the attack?
Yahoo one of the victims revealed the first indicators of the attack. The attack compromised the real names, emails, addresses and the dates of the users. Yahoo established that the names and the addresses of over 500 million of its customers had been compromised in that they were not aligning (Alvarez, 2016). Due to this attack, most yahoo accounts users could not log into their accounts because the robust bcrypt algorithm had corrupted their emails and passwords.
The second indicator of the attack was a slowing computer. When the computer that has been working properly start to slow down or hang, then one obvious factor for this is an attack. When Fireball malware was launched, millions of targeted computers slowed down (Mascarenhas, 2017). Most computers hang, and the users found it hard to operate them. The malware in most cases become heavy in capacity and thus cannot work when they have intruded the system. The computers also found it hard accessing the internet because the browsers were corrupted and could not function as expected. The slow functioning of the computers made the operations of the business in the organizations to come to a standstill because nobody could access the files and the data required.
The third indicator of fireball attack was the corrupted files and loss of data. When Fireball malware was launched, millions of files and volumes of data were lost by the corporations. After the attack, the users found it hard to access the simple files that were initially available and also the data in the corrupted elements went missing (Shageel, 2017). One would easily find that the security solutions have been disabled and thus, the system was open and unsecured.
Another indicator of the malware attack was the internet traffic suspiciously increasing with several popping up messages and Adz. Some Adz and message become annoying and frustrating because the activity one tries to do on the computer fails due to the large volume of the traffic (Shageel, 2017). There were also unusual error messages when trying to browse or access certain information. During the Fireball malware attack, many users reported unusual behaviors of their systems causing frustration while discharging their duties.
Tactics, technique, and procedures
The hackers usually have different techniques they use to accomplish their hacking mission. The first technique used by Fireball malware attackers is generating unique binaries that are only used once and then discarded. The hackers know very well that using the unique binaries more than once would make them be exposed (Trend Micro, 2018). Thus, they generate and use them to commit hacking and destroy them to cover their foot markings so that the defenders fail to trace them. Discarding the binaries that were used to hack makes it hard for the defenders to understand how the hackers attacked and how to deal with them. Many of the binary attacks can be traced through simple configuration and other low-cost means.
The second technique employed by the hackers is the use of spear-phishing. Spear-phishing means going after the less defended assets such as employee’s accounts, emails, and devices instead of the highly guarded assets (Trend Micro, 2018). In fact, Fireball malware used the spear-phishing because it attacked the less guarded assets such as the customers’ contacts in Yahoo. It was easier for the hacker to get access the customers’ files in the corporate world and corrupts them than finding the corporation files that are sensitive. The sensitive corporation files are heavily guarded, and it needs complex planning to access such files.
The third tactic used by the attackers is getting a foothold in the target organization. The hacker tried to target the users outside the safety zones of the corporate perimeter (Trend Micro, 2018). The attack gets these details of various external aspects of the organization and develops a malware that would be able to penetrate through the anti-malware protecting the internal files (Panda Security, 2017). Once inside, the malware could not be easily be noticed, and the attackers would go for most vulnerable files such as the employees’ records and corrupts it to find a route to the most guarded files.