Check Point Research (CPR) has discovered new malware that is being actively distributed through gaming applications on Microsoft's official store.
Dubbed Electron-bot, this scourge can control its victims’ online accounts such as Facebook, Google and Sound Cloud. It also has the ability to register new accounts, log in, comment on and “like” other users’ posts.
Some 5 000 victims in 20 countries have been identified so far, and the security giant encourages users to immediately delete applications from a number of publishers. Most of the victims are from Sweden, Bermuda, Israel and Spain.
Popular games including Temple Run and Subway Surfer were found to be malicious.
According to CPR, there are “dozens of infected applications” on Microsoft’s official store, and they have detected several malicious game publishers, where all the applications under those publishers were found to be related to the malicious campaign.
These include Lupy games, Crazy 4 games, Jeuxjeuxkeux games, Akshi games, and Goo Games.
Other capabilities
The malware is also capable of SEO poisoning, an attack method in which threat actors create malicious Web sites and use search engine optimisation tactics to make them show up prominently in search results.
In addition, it employs Ad Clicker, a computer infection that runs in the background and constantly connects to remote Web sites to generate ‘clicks’ for advertisement, profiting financially by the number of times an advertisement is clicked.
It can also use platforms such as YouTube and SoundCloud to direct traffic to specific content and promote online products, to generate profits with ad clicking or increase store rating for higher sales.
As Electron-bot's payload is dynamically loaded, the malefactors can use the installed malware as a backdoor in order to gain total control on the target machine.
How it works
Electron-bot starts by installing a seemingly-legitimate Microsoft store application. Once installed, the attacker downloads files and executes scripts.
The malware then gains persistence on the victim's machine, repeatedly executing various commands sent from the attacker command and control server.
To evade detection, most of the scripts controlling the malware are loaded dynamically at run time from the attackers’ servers, which enables the bad actors to modify the malware’s payload and change the bots’ behaviour at any given time.
Electron-bot also has the ability to imitate human browsing behaviour and evade Web site protections.
Daniel Alima, a malware analyst at CPR, says: “The Electron framework provides Electron apps with access to all of the computer resources, including GPU computing. As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behaviour to high risk. For example, they can initialise another second stage and drop a new malware such as ransomware or a RAT. All of this can happen without the victim’s knowledge.”
Who dunnit?
CPR says there is evidence that the malware campaign originated in Bulgaria. All variants between 2019 and 2022 were uploaded to a public cloud storage called mediafire.com from Bulgaria.
The Sound Cloud account and the YouTube channel the bot promotes are under the name “Ivaylo Yordanov,” a popular Bulgarian wrestler and soccer player, and Bulgaria is also the most promoted country in the source code.
CPR has reported to Microsoft all detected game publishers that are related to this campaign.
Alima adds that Most people think they can trust application store reviews, and they don't hesitate to download an application from there. “There's incredible risk with that, as you never know what malicious items you can be downloading."
In order to protect from this malware, CPR advises users to think before downloading an application from an app store: avoid downloading an application with very few reviews and pay attention to suspicious application naming which differs ever so slightly from the original name, as this is a red flag that something isn’t right.
Share