Recently, Fireball malware has garnered a lot of attention by claiming to have spread to 250 million computers. Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.
But before this threat was called Fireball, it was labeled by most antivirus (AV) companies as ELEX adware. In this blog, we will be detailing the Fireball threat and many of the ways it presents in order to determine whether the threat is real and, if so, what can be done to block it.
Fireball has almost always been found bundled with other software, but it’s bundled in such a way that the typical user would not be aware of it – this ‘hidden’ aspect, alone, makes it worthy of exploration.
The primary distributer of these bundles is a company named RafoTech. Their website is currently down following the release of the original blog by Checkpoint, and the command-and-control (C2) channel associated with that URL has also been taken offline. However, you can still find cached versions of the web page on WayBackMachine.
RafoTech has combined several advertising networks from PropellerAds to Dealply to reach the numbers reported. It is possible that bundles from any of these networks currently contains Fireball.
Figure 1: Ad Networks Used by RafoTech. (Image From Their Website.)
The installation phase is where much of the confusion originates. Once the bundled software is executed, one of many different payloads is installed. We have come across a few major packages, each containing various other adware programs such as QQBrowser, aMule P2P client, BiksQRSS an RSS client, and the list goes on. However, this adware is not what the user should be worried about in terms of malware threat, as much of this adware is common, easy to remove, and not classifiable as malware.
The real issue is any of the several browser hijackers installed by this bundle. Taking the form of a DLL turned into a service, these payloads all install common persistence mechanisms and even clean up after themselves in the same ways (this is reviewed in the next section). These services have several names: we have seen WinArcher/D_Box, WinSAP, iThemes, WinSnare, and MiliMili/ IMO. These are also listed commonly by the AV industry as ELEX Adware.
To install themselves, a DLL is dropped by the original bundle (Archer.dll, WinSap.DLL, iThemes.dll, etc.). This DLL is then run with one of various exports (InstallArcherSvc, SAP, InstWinSnare, etc), which follows a general format of copying itself to a new directory typically under C:\Program Files(x86)\ and then its name (Winarcher, WinSAP, etc). Next, a registry key is created under HKLM\SYSTEM\CurrentControlSet\Services\[Servicename] and \Parameters (Figures 2-4).
This process is how ServiceDLLs are installed in the Windows OS. These kinds of DLLs are easily identified by the presence of the export function "ServiceMain", which is used primarily in these kinds of ServiceDLLs.
Figure 2: WinArcher Service Registry Keys
Figure 3: WinSAP Service Registry Keys
Figure 4: iThemes Service Registry Keys
These registry keys specify the way to run each of these DLLs as a service. This is a common persistence mechanism among malware (not something we would expect to see in run-of-the-mill adware), and this ensures that each time the machine is booted up that these services are running.
Most of these payloads clean up after themselves in the same way, with a trick involving MoveFileExW. This function is used by the OS to move a file from point A to point B. In this case, the second parameter specifying the location for the file to be moved, is passed as NULL. This de-allocates the disk space without moving the data. A specific flag, MOVEFILE_DELAY_UNTIL_REBOOT, is also passed. This ensures that the file isn’t modified while its process is running, and instead waits until the machine is rebooted. This effectively deletes the original DLL without it having to try to delete itself on exit or with a second file on disk such as a .cmd or uninstall file.
Figure 5: Pending File Rename Operations Created by MoveFileExW.
This cleanup is performed by either the service DLL or by another DLL that is either within the package or downloaded later. WinArcher in particular uses a configuration file that calls several DLLs, including one found in almost all the WinArcher bundles, ‘byebye.dll.’ When reversed, the call to delete each PE in turn can be seen (functions renamed for clarity).
Figure 6: byebye.dll Entry Point, With Calls to Delete Each File in Turn
Figure 7: Call of MoveFileExW, Being Passed paramater "4", or MOVEFILE_ON_REBOOT.
These services contain the browser hijacker functionality of Fireball. They perform the functions typical of a hijacker, changing your home page or redirecting your browser traffic to desired locations to generate advertising revenue. Again, not something you’d expect from adware.
Many of these services also contain detailed logging capability. WinSnare is a malicious use of Snare by Intersect Alliance, a complex log aggregation tool. While many of the other bundles include files used for information gathering on the host. Some of these are even legitimate Windows tools renamed and distributed. Such is the case for ‘ttttt.exe’ and ‘hhhhh.exe,’ which are actually Microsoft Sysinternals Handle v4.0 and traceroute programs.
Most of these samples also communicate over similar C2 channels, primarily being on the Amazon CDN Cloudfront. Thus, several of the IOCs listed by this and many other blogs are subdomains of Cloudfront.net. This ensures that the C2 and desired files will be available in large scale. Many of these C2’s are listed in the IOC section at the end of this blog.
In most cases, the browser hijackers installed by Fireball want to generate page views and clicks, otherwise known as ‘click fraud.’ This generates revenue for the attacker and at the same time does not create enough annoyance for a user or community to take action against it. This type of malware infection is akin to the common cold, which causes some discomfort, but maybe not enough for you to go see your doctor. And just like the common cold, some strains will be more impactful than others. The surreptitious nature of Fireball ultimately led to its outing as something to be eradicated.
So, is Fireball adware or malware? The decision is made easy by two things:
1. The installation of the browser hijacker is effectively silent to the typical user. Installing itself without permission or notification to the user is clearly a malicious action.
2. Second, this is a non-trivial uninstall. The standard user would likely have issues uninstalling any of these services, and would require a detailed guide. The packages do not come with uninstallation files or scripts for the typical user.
These two factors have lead the Cylance Threat Guidance Team to classify this threat as malware. As such, users should take appropriate precautions to avoid infection by Fireball.
A good first step is to ensure that your browser, OS, and AV product of choice is up to date. But the best way to stay safe is to avoid downloading software from disreputable, third party, or otherwise sketchy websites. These sites often take legitimate software and bundle it with adware and programs like Fireball.
If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.
Indicators of Compromise (IoCs)
Several Subdomains of the Cloudfront CDN, Including: