Beware of what you download in Microsoft's Official Store. Check Point Research (CPR) recently discovered a new malware that puts your social media accounts at risk of being hacked.
According to the research group's report, the malware, dubbed "Electron Bot," has already infected 5,000 machines all over the world. It continually executes attacker commands like controlling social media accounts, registering new accounts, logging in, commenting and liking other posts.
The research group chose to name the malware as such due to the malware's C&C domain.
What Is Electron Bot Malware?
Electron Bot is a modular SEO poisoning malware used for social media promotion and click fraud. It is mainly distributed in Microsoft's Official Store and is hidden in several infected applications consisting of mostly video games that the attackers uploaded. These games are usually "clones" of popular games such as "Temple Run" and "Subway Surfer," per Money Control.
The malware was borne from the attackers' ad clicker campaign at the end of 2018, with the malware being hidden in Microsoft's Official Store using an app called "Album by Google Photos." According to the CPR report, Google LLC was claimed to be the developer of the app.
The malware was built with Electron, a framework for building cross-platform desktop applications using web scripts, giving the malware the capabilities of a browser controlled by scripts like Javascript.
Additionally, the malware's scripts that give attackers control of it are dynamically loaded at run time from their servers, allowing them to modify the malware's payload and change the bots' behavior any time they want.
How Does Electron Bot Malware Infect Devices?
According to a BGR report, after an infected application is downloaded and launched, the malware executes a JavaScript dropper that loads dynamically in the background from the attackers' server. The JavaScript dropper then executes several actions, which include downloading and installing the malware on the now-infected device and gaining persistence on the start-up folder.
However, the malware is only launched the next time the user starts their device up. After which, it secures a connection with the C&C domain Electron Bot and receives a dynamic JavaScript payload with a set of capability functions that can control the user's social media accounts.
Once the attackers have access to the user's social media accounts, they can use it to promote other social media accounts and online products to generate traffic, increase views and earn a profit. The malware can also mimic human browsing behavior and evade website protections.
Electron Bot Malware Protection
CPR recommended people to not download an app with a small amount of reviews instead of apps with good, consistent and reliable reviews. If you think you have downloaded an app infected with Electron Bot, then you have to uninstall it, remove the malware package folder found in the device's Packages folder and to remove the associated LNK file from the Start up folder.
The research group also advised people to pay attention to suspicious application naming, which is not identical to the original name, such as "Temple Endless Runner 2" and its original counterpart, "Temple Run 2."
Related Article: Samsung Galaxy Store Apps Infect Phones With Malware: 3 Apps to Avoid