‘Electron Bot’ infiltrates Microsoft Store via clones of Popular Games
February 25th, 2022 - Written By CyberLabs
Our Favorite Games are turning in to Malwares?
As unfortunate as it sounds, a malware named Electron Bot has found its way into Microsoft’s Official Store by clones of popular games that most users play. These games include; Subway Surfer and Temple Run and more, leading to the infection of roughly 5,000 computers in Sweden, Israel, Spain, and Bermuda. This malware has been both caught and analyzed by cyber-intelligence firm, Check Point. It is believed to be a backdoor that gives access to the adversaries complete control over compromised machines, supporting remote command execution and real-time interactions as well. With that being said it is also believed that the goal of these threat actors is social media promotion and click fraud, which they achieve by controlling social media accounts on Facebook, Google, YouTube, and Sound Cloud, since Electron Bot supports new account registration, commenting, and liking on these platforms.
Three years of evolution
This process was first discovered at the end of 2018 when an early Electron Bot variant was submitted to the Microsoft Store as “Album by Google Photos,” published by a spoofed Google LLC entity. After which, the malware actors have added several new features to their ‘tool’ and advanced detection evasion capabilities like dynamic script loading. It is written in Electron, hence the name, and it can emulate natural browsing behavior and perform actions as if it’s a real website visitor. For this, it opens a new hidden browser window using the Chromium engine in the Electron framework, sets the appropriate HTTP headers, renders the requested HTML page, and finally performs mouse movement, scrolling, clicks, and keyboard typing.
Electron Bot’s primary objectives in the ongoing campaign analyzed by the Check Point researchers are:
- SEO poisoning – Create malware-dropping sites that rank high on Google Search results.
- Ad clicking – Connect to remote sites in the background and click on non-viewable advertisements.
- Social media account promotion – Direct traffic to specific content on social media platforms.
- Online product promotion – Increase store rating by clicking on its advertisements.
These functions are offered as services to those who want to increase their online profits illegitimately, so the gains for the malware operators are indirect. As for attribution, Check Point reports finding evidence pointing to the actors being based in Bulgaria, but besides that, nothing else is known about the malicious actors’ identity or location.
Infection chain
This infection chain begins with the user or victim rather, installing one of these laced apps from within the Microsoft Store, an otherwise trustworthy source of software.
Upon launching the application, a JavaScript dropper is loaded dynamically in the background to fetch the Electron Bot payload and install it. Then the malware launches at the next system startup, connects to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com or 11k[.]online), retrieves its configuration, and executes any commands in the pipeline. Since the main scripts are loaded dynamically at run time, the JS files dropped on the machine’s memory are very small and seemingly innocuous.
More than just a game
Earlier mentioned laced games identified by Check Point featured the expected functionality while the malicious operations unfolded in the background. This results in having positive user reviews on the Microsoft Store. For instance, Temple Endless Runner 2, which was published on September 6, 2021, has close to a perfect five-star rating from 92 reviews. Of course, the culprits constantly refresh their lures and use different game titles and apps to deliver the malware payloads to unsuspecting victims.
For the moment, users may need to take note of the publishers who released confirmed malicious game apps using the following names:
- Lupy games
- Crazy 4 games
- Jeuxjeuxkeux games
- Akshi games
- Goo Games
- Bizzon Case
What Now?
It is important to emphasize and highlight that while the existing version of Electron Bot isn’t causing catastrophic damage to the infected machines, the threat actors may quickly modify the code to fetch a second-stage payload like a RAT or even ransomware. Check Point suggests that Windows users avoid downloading applications with a low review count, scrutinize the developer/publisher details, and ensure that the app name is correct and not typo-squatted.
Source:
