Bot Malware Discovered Using Gaming Apps on Microsoft Store
Check Point Research has revealed a new Electron-bot malware which is actively distributed via Microsoft official store.
With more than 5,000 machines already affected in 20 countries so far, the malware continuously executes commands from attackers, such as controlling social media accounts on Facebook, Google and Sound Cloud. The malware can register new accounts, login, comment and “like” other posts.
The CPR is urging users to immediately remove apps from a number of publishers.
Dubbed Electron-bot by CPR, the malware’s full functionality includes SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them appear prominently. in search results. This method is also used as a sale as a service to promote the ranking of other websites.
The malware also uses Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate “clicks” for advertisements, thus profiting financially from the number of times an advertisement is clicked.
It can promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and clicks on advertisements to generate profit, as well as promote online products, to generate profit with clicks on ads or increase store rating for higher sales.
Additionally, as the Electron-bot payload is loaded dynamically, attackers can use the installed malware as a backdoor in order to gain full control over the victim’s machine.
“This research analyzed a new malware called Electron-bot that attacked more than 5,000 victims worldwide,” says Daniel Alima, Malware Analyst at Check Point Research.
“Electron-bot is downloaded and easily distributed from the official Microsoft store platform. The Electron framework provides Electron applications with access to all computing resources, including GPU computing.
“Because the bot payload is loaded dynamically on each run, attackers can modify the code and change the behavior of high-risk bots,” he says.
“For example, they can initiate another second stage and drop new malware such as ransomware or RAT. All of this can happen without the knowledge of the victim. Most people think you can trust the reviews app stores, and they don’t hesitate to download an app from there.
“There’s an incredible risk with this, because you never know what malicious stuff you might download.”
Distribution via gaming apps on the Microsoft Store
There are dozens of infected apps in the Microsoft Store. Popular games such as “Temple Run” or “Subway Surfer” have been shown to be malicious. CPR has detected several malicious game publishers, where all apps under these publishers are linked to the malicious campaign:
- Lupy Games
- Crazy 4 games
- Games gamesgamesgames
- Akshi Games
- Goo Games
- bizon case
Until now, the CPR had 5,000 in 20 countries. Most of the victims come from Sweden, Bermuda, Israel and Spain.
How Malware Works
The malware campaign works according to the following steps:
The attack begins with the installation of a Microsoft Store app pretending to be legitimate
After installation attacker downloads files and runs scripts
The malware, which was downloaded, gains persistence on the victim’s machine, repeatedly executing various commands sent by the C&C attacker
To avoid detection, most scripts controlling the malware are dynamically loaded at runtime from attackers’ servers. This allows attackers to modify the malware payload and alter the behavior of bots at any time, CPR explains. The malware uses the Electron framework to mimic human browsing behavior and evade website protections.
There is evidence that the malware campaign originated in Bulgaria, including:
- All variants between 2019 and 2022 were uploaded to public cloud storage “mediafire.com” from Bulgaria
- The Sound Cloud account and YouTube channel the bot promotes is under the name “Ivaylo Yordanov”, a famous Bulgarian wrestler/footballer.
- Bulgaria is the most promoted country in source code
CPR has reported all game publishers detected that are linked to this campaign to Microsoft.
In order to stay as safe as possible, before downloading an application from the App store:
- Avoid downloading an app with low reviews
- Look for apps with good, consistent and reliable reviews
- Watch out for suspicious app names that are not identical to the original name