A new malware capable of controlling social media accounts is being distributed through Microsoft’s official app store in the form of trojanized gaming apps, infecting more than 5,000 Windows machines in Sweden, Bulgaria, Russia, Bermuda, and Spain.
Israeli cybersecurity company Check Point dubbed the malware “Electron Bot,” in reference to a command-and-control (C2) domain used in recent campaigns. The identity of the attackers is not known, but evidence suggests that they could be based out of Bulgaria.
“Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud,” Check Point’s Moshe Marelus said in a report published this week. “It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by the attackers. “
The first sign of malicious activity commenced as an ad clicker campaign that was discovered in October 2018, with the malware hiding in plain sight in the form of a Google Photos app, as disclosed by Bleeping Computer.
In the years since, the malware is said to have undergone numerous iterations that equip the malware with new features and evasive capabilities. In addition to using the cross-platform Electron framework, the bot is designed to load payloads fetched from the C2 server at run time, making it difficult to detect.
” This allows the attackers modify the malware’s payload to change bots behavior at any time,” Marelus stated.
Electron Bot is a browser that hides the core of your website. It can be used to perform SEO poisoning and generate clicks to ads.
Aside from that, the app also has functions to control your social media accounts (Google, Facebook and Sound Cloud), including signing up, registering, and commenting on other posts and liking them, in order to get more views.
Along the way, there are steps to identify potential threat detection software from companies such as Kaspersky Lab, ESET, Norton Security, Webroot, Sophos, and F-Secure before the dropper proceeds to fetch the actual bot malware.
The list of game publishers that pushed the malware-laced apps is as follows –
- Lupy games
- Crazy 4 games
- Jeuxjeuxkeux games
- Akshi games
- Goo Games
- Bizzon Case
“As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bot’s behavior to high risk,” Marelus noted. They can also initiate a second stage to drop new malware, such as ransomware and RATs. All of this can happen without the victim’s knowledge. “