Check Point Research (CPR) found a new malware which is distributed through the gaming apps on the official Microsoft store. Malware, called Electron-botcan check social media accounts of his victims, rregister new accountsaccess, comment and Like other posts. The malware has infected popular gaming apps such as “Temple Run” or “Subway Surfer”.
CPR has registered 5,000 victims in 20 countriesso far – mostly from Sweden, Bermuda, Israel and Spain – and suggests users to immediately delete the applications of some web publishers including Lupy games, Crazy 4 games, Jeuxjeuxkeux games, Akshi games, Goo Games And Bizon houses.
Electron-bot has several capabilities:
- SEO poisoning, a method by which cybercriminals create malicious websites and use search engine optimization tactics to show them in the top search results. This method is also used in sales as a service to promote the ranking of other sites.
- Ad Clicker, a computer infection that works in the background and constantly connects to websites to generate “clicks” for the ad, thus benefiting from the number of clicks that this ad receives.
- Promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and clicks on ads, thus generating profits.
- Promote products onlineto generate profits with ad clicks or increase the store rating to increase sales.
Furthermore, since the Electron-bot payload is loaded automatically, hackers can use the installed malware as a backdoor to gain full control over the victim’s device.
The spread is happening through the installation of infected gaming apps on the Microsoft Store. After installation, the hacker downloads the files and executes the scripts and the downloaded malware gradually takes control of the system, repeatedly executing various commands sent by the attacker’s C&C.
To avoid detection, most scripts that check for malware are loaded at runtime from the attacker’s servers. This allows hackers to modify the malware payload and change the behavior of bots at any time. Malware uses the Electron framework to mimic user behavior while browsing, thus avoiding website protections.
The malware would have originated in Bulgaria. The evidence in this sense would be different. All the variants discovered between 2019 and 2022 were uploaded to a public cloud storage named “mediafire.com”, coming from Bulgaria; the Sound Cloud account and the YouTube channel that the bot promotes are under the name of “Ivaylo Yordanov”, a popular Bulgarian wrestler and footballer. Finally, Bulgaria is the country most present in the source code
CPR, which discovered malware in Mediatek processors last November, has already reported to Microsoft all game publishers that are linked to this campaign.