Home Technology New Malware Capable of Controlling Social Media Accounts Infects 5,000+ Machines and is actively being Distributed via Gaming Applications on Microsoft’s Official Store
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

New Malware Capable of Controlling Social Media Accounts Infects 5,000+ Machines and is actively being Distributed via Gaming Applications on Microsoft’s Official Store

by wrich

Check Point Research (CPR) spots new malware that is actively being distributed through gaming applications on Microsoft’s official store. Named Electron-bot, the malware can control social media accounts of its victims, including Facebook, Google and Sound Cloud. The malware can register new accounts, log in, comment on and “like” other posts. CPR counts 5,000 victims in 20 countries so far. CPR urges users to immediately delete applications from a number of publishers. 

  • Popular games such as “Temple Run” or  “Subway Surfer” were found to be malicious
  • Attackers can use the installed malware as a backdoor in order to gain full control on the victim’s machine
  • Most of the victims are from Sweden, Bermuda, Israel and Spain

Check Point Research (CPR) has spotted new malware that is actively being distributed through Microsoft’s official store. With over 5,000 machines already affected, the malware continually executes attacker commands, such as controlling social media accounts on Facebook, Google and Sound Cloud. The malware can register new accounts, log in, comment on and “like” other posts.  

Dubbed Electron-bot by CPR, the malware’s full capabilities are as follows: 

  • SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results. This method is also used as a sell as a service to promote other websites ranking.
  • Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate ‘clicks’ for advertisement, hence profiting financially by the amount of times an advertisement is clicked.
  • Promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and ad clicking to generate profits.
  • Promote online products, to generate profits with ad clicking or increase store rating for higher sales.

In addition, as Electron-bot’s payload is dynamically loaded, the attackers can use the installed malware as a backdoor in order to gain full control on the victim’s machine. 

Distribution via Gaming Apps on Microsoft Store

There are dozens of infected applications in Microsoft store. Popular games such as “Temple Run” or  “Subway Surfer” were found to be malicious. CPR has detected several malicious game publishers, where all the applications under those publishers are related to the malicious campaign:

  • Lupy games.
  • Crazy 4 games.
  • Jeuxjeuxkeux games
  • Akshi games
  • Goo Games
  • bizon case

Victims

So far, CPR counted 5,000 in 20 countries. Most of the victims are from Sweden, Bermuda, Israel and Spain.  

How the Malware Works

The malware campaign works in the following steps: 

  1. The attack starts with installation of a Microsoft store application pretending to be legitimate
  2. After the installation, the attacker downloads files and executes scripts
  3. The malware, which has been downloaded, gains persistence on the victim’s machine, repeatedly executing various commands sent from the attacker C&C

To avoid detection, most of the scripts controlling the malware are loaded dynamically at run time from the attackers’ servers. This enables the attackers to modify the malware’s payload and change the bots’ behavior at any given time. The malware uses the Electron framework to imitate human browsing behavior and evade website protections. 

Attribution

There is evidence that the malware campaign originated in Bulgaria, including: 

  • All variants between 2019 – 2022 were uploaded to a public cloud storage “mediafire.com” from Bulgaria
  • The Sound Cloud account and the YouTube channel the bot promotes are under the name “Ivaylo Yordanov,” a popular Bulgarian wrestler\soccer player
  • Bulgaria is the most promoted country in the source code

Disclosure

CPR has reported to Microsoft all detected game publishers that are related to this campaign. 

 

Daniel Alima, Malware Analyst at Check Point Research: 

“This research analyzed a new malware called Electron-Bot that has attacked more than 5000 victims globally. Electron-Bot is downloaded and easily spread from the official Microsoft store platform. The Electron framework provides Electron apps with access to all of the computer resources, including GPU computing. As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behavior to high risk. For example, they can initialize another second stage and drop a new malware such as ransomware or a RAT. All of this can happen without the victim’s knowledge. Most people think that you can trust application store reviews, and they don’t hesitate to download an application from there. There’s incredible risk with that, as you never know what malicious items you can be downloading.”

 

Safety Tips

In order to stay safe as much as possible, before downloading an application from the App store: 

  1. Avoid downloading an application with small amount of reviews 
  2. Look for applications with good, consistent and reliable reviews 
  3. Pay attention to suspicious application naming which is not identical to the original name

You may also like