Check Point’s Moshe Marelus reported that , “Electron Bot is a modular SEO poisoning virus that is use for social media promotion and click fraud and t’s primarily distributed through the Microsoft Store platform, where it’s dumped from dozens of infected software, largely games, that the attackers are continually uploading.”
The malware was called “Electron Bot” by Israeli cybersecurity firm Check Point, after a command-and-control (C2) domain used in recent attacks. The attackers identities are unknown, but evidence suggests they may be based in Bulgaria.
More than 5,000 Windows workstations in Sweden, Bulgaria, Russia, Bermuda and Spain have been infected by a new malware capable of controlling social media accounts that was spread through Microsoft’s official app store in the form of rootkit gaming games.
Electron bot’s main capabilities are:
- SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results. This method is also used as a sell as a service to promote other websites ranking.
- Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate ‘clicks’ for advertisement, hence profiting financially by the amount of times an advertisement is clicked.
- Promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and ad clicking to generate profits.
- Promote online products to generate profits with ad clicking or increase store rating for higher sales.
The malware is claimed to have gone through multiple revisions in the years since, giving it new features and evasive capabilities. The bot is designed to load payloads fetched from the C2 server at run time, making it harder to identify. It also uses the cross-platform Electron framework.
Electron Bot’s main function is to open a hidden browser window in order to do SEO poisoning, generate ad clicks, route traffic to YouTube and SoundCloud material, and promote specific products in order to earn money from ad clicks or boost store rating for increased sales.
Before the dropper downloads the real bot malware, there are steps to identify potential threat detection software from businesses like Kaspersky Lab, ESET, Norton Security, Webroot, Sophos, and F-Secure.
The list of game publishers that pushed the malware-laced apps is as follows –
- Lupy games
- Crazy 4 games
- Jeuxjeuxkeux games
- Akshi games
- Goo Games
- Bizzon Case
Finally the researchers concluded that ,” the bot’s payload is loaded dynamically at each run time , assailants can tweak the code and shift the bot’s behaviour to high danger.” “They may, for example, start a second stage and release fresh malware, such as ransomware or a RAT. This can all take place without the victim’s knowledge.”
Indicator Of Compromise