Jump to content
  • Malware infiltrates Microsoft Store via clones of popular games


    Karlston

    • 545 views
    • 4 minutes
     Share


    • 545 views
    • 4 minutes

    A malware named Electron Bot has found its way into Microsoft’s Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of roughly 5,000 computers in Sweden, Israel, Spain, and Bermuda.

     

    The malware, spotted and analyzed by cyber-intelligence firm Check Point, is a backdoor that gives the adversaries complete control over compromised machines, supporting remote command execution and real-time interactions.

     

    The goal of the threat actors is social media promotion and click fraud, which they achieve by controlling social media accounts on Facebook, Google, YouTube, and Sound Cloud, as Electron Bot supports new account registration, commenting, and liking on these platforms.

    Three years of evolution

    The operation was first discovered at the end of 2018 when an early Electron Bot variant was submitted to the Microsoft Store as “Album by Google Photos,” published by a spoofed Google LLC entity.

     

    Since then, the malware authors have added several new features to their tool and advanced detection evasion capabilities like dynamic script loading.

     

    The malware is written in Electron, hence the name, and it can emulate natural browsing behavior and perform actions as if it’s a real website visitor.

     

    For this, it opens a new hidden browser window using the Chromium engine in the Electron framework, sets the appropriate HTTP headers, renders the requested HTML page, and finally performs mouse movement, scrolling, clicks, and keyboard typing.

     

    mouse.jpg

    Human mouse movement emulation (Check Point)

     

    Electron Bot's primary goals in the ongoing campaign analyzed by the Check Point researchers are:

     

    • SEO poisoning – Create malware-dropping sites that rank high on Google Search results.
    • Ad clicking – Connect to remote sites in the background and click on non-viewable advertisements.
    • Social media account promotion – Direct traffic to specific content on social media platforms.
    • Online product promotion – Increase store rating by clicking on its advertisements.

     

    comments.jpg

    Hardcoded YouTube comments (Check Point)

     

    These functions are offered as services to those who want to increase their online profits illegitimately, so the gains for the malware operators are indirect.

     

    As for attribution, Check Point reports finding evidence pointing to the actors being based in Bulgaria, but besides that, nothing is known about the malicious actors' identity or location.

    Infection chain

    The infection chain begins with the victim installing one of the laced apps from within the Microsoft Store, an otherwise trustworthy source of software.

     

    infection-chain(4).jpg

    Electron Bot infection chain (Check Point)

     

    Upon launching the application, a JavaScript dropper is loaded dynamically in the background to fetch the Electron Bot payload and install it.

     

    The malware launches at the next system startup, connects to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com or 11k[.]online), retrieves its configuration, and executes any commands in the pipeline.

     

    Because the main scripts are loaded dynamically at run time, the JS files dropped on the machine’s memory are very small and seemingly innocuous.

     

    commands(1).jpg

    Commands supported by Electron Bot (Check Point)

    More than just a game

    All laced games identified by Check Point featured the expected functionality while the malicious operations unfolded in the background.

     

    This results in having positive user reviews on the Microsoft Store. For instance, Temple Endless Runner 2, which was published on September 6, 2021, has close to a perfect five-star rating from 92 reviews.

     

    Of course, the crooks constantly refresh their lures and use different game titles and apps to deliver the malware payloads to unsuspecting victims.

     

    temple-runner.jpg

    Laced Temple Runner game on the Microsoft Store (Check Point)

     

    For now, users may take note of the publishers who released confirmed malicious game apps using the following names:

     

    • Lupy games
    • Crazy 4 games
    • Jeuxjeuxkeux games
    • Akshi games
    • Goo Games
    • Bizzon Case

     

    It is important to emphasize that while the existing version of Electron Bot isn’t causing catastrophic damage to the infected machines, the threat actors may easily modify the code to fetch a second-stage payload like a RAT or even ransomware.

     

    Check Point suggests that Windows users avoid downloading applications with a low review count, scrutinize the developer/publisher details, and ensure that the app name is correct and not typo-squatted.

     

     

    Malware infiltrates Microsoft Store via clones of popular games


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...