New Malware Threat: Hijacking Social Media via Microsoft Store Games
Written on
The Rise of Electron Bot
Recently, a concerning malware known as "Electron Bot" has been discovered, infecting over 5,000 Windows workstations across various countries, including Sweden, Bulgaria, Russia, Bermuda, and Spain. This malware is primarily distributed through Trojanized gaming applications available in Microsoft's official app store. The cybersecurity firm Check Point, based in Israel, identified the malware and its command-and-control (C2) structure, suspecting its creators may be operating out of Bulgaria.
In a report published this week, Check Point's Moshe Marelus emphasized that "Electron Bot functions as modular SEO poisoning malware aimed at manipulating social media and facilitating click fraud." He elaborated, "Its distribution largely occurs through the Microsoft Store, where numerous infected games are uploaded by the attackers continuously." The first signs of this malicious activity were noted back in October 2018, when an ad clicker scheme was uncovered, featuring malware camouflaged as a legitimate Google Photos application.
Evolution of the Malware
The malware has undergone several updates since its initial discovery, enhancing its features and evasion techniques. Electron Bot is engineered to dynamically load payloads from the C2 server during execution, making it particularly challenging to detect. Utilizing the cross-platform Electron framework allows the perpetrators to modify both the bot's actions and its malware payload whenever necessary, as Marelus pointed out.
The primary function of Electron Bot is to discreetly open a browser window for SEO manipulation, generate ad clicks, direct traffic towards YouTube and SoundCloud content, and promote specific products to generate revenue through ad interactions or to enhance store ratings for sales. It is also equipped with tools for managing social media accounts on platforms like Facebook, Google, and SoundCloud, enabling actions such as account creation, login, and interaction with posts to increase visibility.
How the Infection Occurs
When users download compromised applications, such as Temple Endless Runner 2 from the Microsoft Store, the application launches but also executes a subsequent stage dropper via JavaScript. This dropper is responsible for retrieving the actual bot malware while implementing strategies to evade detection from security software like Kaspersky Lab, ESET, Norton Security, Webroot, Sophos, and F-Secure.
The following game developers have been linked to the distribution of malware-infected applications:
- Lupy Games
- Crazy 4 Games
- Jeuxjeuxkeux Games
- Akshi Games
- Goo Games
- Bizzon Case
Marelus further noted, "Due to the bot's payload being dynamically loaded each time it runs, attackers can modify the code and alter the bot's behavior, leading to potentially severe risks." For instance, they may initiate a second phase and deploy new malware, such as ransomware or a Remote Access Trojan (RAT), all without the victim's awareness.
The Escalating Threat Landscape
The findings surrounding Electron Bot highlight the increasing sophistication of cyber threats, particularly those leveraging legitimate platforms like the Microsoft Store to propagate malware. As users continue to download applications, the need for heightened awareness and robust cybersecurity measures has never been more critical.
