A backdoor malware that can take over social-media accounts – including Facebook, Google and Soundcloud – has infiltrated Microsoft’s official store by cloning popular games such as Temple Run or Subway Surfer.
The backdoor, dubbed Electron Bot, gives attackers complete control over compromised machines. Among the multiple evil deeds it can execute remotely, it enables its operators to register new accounts, log in, and comment on and like other social media posts – all in real time.
In a Thursday report, Check Point Research (CPR) said that the malware has claimed more than 5,000 victims in 20 countries – most from Bermuda, Bulgaria, Russia, Spain and Sweden– in its actively ongoing onslaught.
It’s mainly being distributed via the Microsoft store platform, hiding in dozens of infected apps – mostly games – that the attackers are “constantly” uploading, CPR said.
A Microsoft spokesperson told Threatpost on Thursday that “We are investigating this issue and will take appropriate action to protect customers.”
SEO Poisoning, Ad-Clicking and Fraud
As for its endgame, CPR researchers described the newly discovered and analyzed Electron Bot backdoor as “a modular SEO-poisoning malware” used “for social-media promotion and click fraud.”
In an SEO-poisoning attack, threat actors create malicious websites and use search-engine optimization tactics that force those sites to the top of search results.
SEO poisoning, besides ginning up malicious sites’ SEO showings, is also sold as a service to promote other websites’ rankings. It can be just another tool in malware pushers’ kit bags: In March 2021, for example, we saw Gootkit malware use Google SEO poisoning to expand the number of payloads it delivers.
Electron Bot also functions as an ad clicker, constantly clicking on remote websites to generate clicks on ads that generate pay-per-click (PPC) ad revenue.
It can also promote social-media accounts, such as YouTube and SoundCloud, to direct traffic to specific content, thereby jacking up view and ad-clicking for yet more PPC loot. Electron Bot can also promote online products: another way to generate PPC revenue or increase a store’s rating for higher sales.
The Electron framework enables the bot to “imitate human browsing behavior and evade website protections,” CPR explained.
Electron: Quietly Buzzing for Years
Researchers said that the first hint of the attackers having trespassed into Microsoft’s app store came at the end of 2018, when an ad-clicker campaign was discovered hiding in an app called “Album by Google Photos” – an app that its authors, audaciously enough, fraudulently pushed as being published by Google LLC.
The malware has gotten bigger and brawnier over the years. The bot gets its name from Electron, an open-source framework for building cross-platform, native desktop applications using web technologies such as JavaScript.
The bot hides by having most of its controlling scripts load dynamically at run time from the attackers’ servers, CPR said. This approach keeps the malware nimble, too, they said: “This enables the attackers to modify the malware’s payload and change the bots’ behavior at any given time.”
While the bot’s current activities on infected machines aren’t terribly high-risk, researchers noted, the malware could do far worse, given the Electron framework’s granting of access to all computer resources, including GPU computing.
“As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behavior to high-risk,” they said. “For example, they can initialize another second stage and drop a new malware such as ransomware or a [remote-access trojan, or RAT]. All of this can happen without the victim’s knowledge.”
Electron Bot Infection Routine
The infection starts when a victim installs an infected app from the Microsoft Store.
“When the user launches the game, a JavaScript dropper is loaded dynamically in the background from the attackers’ server,” according to CPR. “It then executes several actions including downloading and installing the malware and gaining persistency on the startup folder.”
When the infected system next starts up, the malware launches, establishes a connection with the command-and-control server (C2), and receives a dynamic JavaScript payload with a set of capability functions. Finally, the C2 sends the configuration file commands to execute.
CPR used the popular Temple Endless Runner 2 game as an example of the games cloned by the Electron Bot attackers. This particular game involves an “infinite” runner, escaping from an enemy by crossing cliffs, forests and mines; evil ape monsters in hot pursuit; a photosensitive seizure warning; and about 100 reviews.
Click-Happy App Store Customers, Beware
It’s that kind of (potentially seizure-inducing) popularity that gets us into trouble.
As it is, official app stores are rife with fraud, fleecewear and banking trojans. The latest of the lot is the Xenomorph banking trojan recently discovered by ThreatFabric, and the most ironic must surely be Vultur, a trojan tucked into a fully functioning two-factor authentication (2FA) app that recently infected 10,000 victims who downloaded it from Google Play.
Electron Bot’s successful incursion into Microsoft’s official app store is just the latest glaring example of how people throw caution to the wind when they see a shiny new toy on the app stores, CPR researchers warned: “Given most people think that you can trust application store reviews, they do not hesitate to download an application from there.”
CPR passed on these safety tips:
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.