Social media malware is spread via games in the Microsoft store

Die richtige Auswahl einer Kommunikationslösung kann zur Herausforderung werden

Check Point reports on the malicious program Electron-Bot

Security researchers at Check Point have noticed a new malware that attacks social media accounts, including Facebook, Google and Sound Cloud. Electron-Bot, as the name suggests, can take over the accounts, which means: register new accounts, log in, comment, press Like. Electron-Bot is distributed through video games on the Microsoft Store, including the popular titles: Temple Run and Subway Surfer. But worse than the social media attack: the hackers can use the malware as a backdoor (because the payload is downloaded dynamically) to completely take over a user’s computer. More than 5000 computers have already been infected, spread over 20 countries. Currently, most of them are in Sweden, on the Bermuda Islands, in Israel and Spain.

What the malware can also do:

  • SEO Poisoning, a method of attack in which hackers create fraudulent websites and use search engine optimization tactics to make them appear at the forefront of search results. This method is also used as a sell-as-a-service to improve the ranking of other websites.
  • Ad Clicker, an infection that runs in the background and constantly connects to websites in order to generate clicks for advertising and thus financially benefit from the number of clicks on an advertisement.
  • Promotion of social media accounts, such as YouTube and SoundCloud, to direct traffic to certain content and increase the number of views as well as advertising clicks in order to make a profit.
  • Promoting online products to make a profit on ad clicks or to increase the rating of stores in order to increase sales.

Regarding the location of the MS store, the security researchers say that dozens of contaminated applications are offered in it. A small overview is given by the fact that some supposed game publishers actually only offer games with malware. These are:

  • Lupy games
  • Crazy 4 games
  • Jeuxjeuxkeux games
  • Akshi games
  • Goo Games
  • bizon case

The path of attack of the malware looks like this:

  • The attack begins with the installation of a contaminated Microsoft Store application.
  • After installation, the attacker downloads various files and runs scripts.
  • The downloaded malware remains on the victim’s computer and repeatedly executes various commands sent by the attacker’s C&C server.

To avoid detection, most of the scripts that control the malware are dynamically loaded from the attackers’ servers as needed. This allows the hackers to modify the payload of the malware and change the behavior of the bots at any time. The malware also uses the Electron framework to mimic human browsing behavior and bypass website protection.

The security researchers suspect a hacker group from Bulgaria to the origin of the malware. Reason:

  • All variants between 2019 and 2022 were transferred to a public cloud storage at uploaded from Bulgaria.
  • The Soundcloud account and the YouTube channel that the bot advertises are named “Ivaylo Yordanov”, a well-known Bulgarian wrestler and football player.
  • Bulgaria is the most advertised country in the source code.

Daniel Alima, Malware Analyst at Check Point Software Technologies, explains: “In this investigation, a new malware called Electron-Bot which has attacked more than 5000 computers worldwide. Electron-Bot is downloaded through the official Microsoft Store platform and simply spreads. The Electron framework provides Electron apps with access to computing power, including GPU computing. Since the payload of the bot is dynamically loaded each time it is executed, the attackers can modify the code and change the behavior of the bot in such a way that it poses a high risk. For example, you can initialize a second stage and inject a new malware, such as ransomware or a RAT. All this can happen without the knowledge of the victim. The problem: most people believe that you can simply trust the reviews of applications in the stores and do not hesitate to download an application because of this. This carries an incredible risk, since you never know which malicious elements you are really downloading.“

All affected game providers have already been informed responsibly by Check Point.

Unity 3D Games Development | Unity APP Outsourcing Services

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: