Check Point’s Moshe Marelus reported that , “Electron Bot is a modular SEO poisoning virus that is use for social media promotion and click fraud and t’s primarily distributed through the Microsoft Store platform, where it’s dumped from dozens of infected software, largely games, that the attackers are continually uploading.”
The malware was called “Electron Bot” by Israeli cybersecurity firm Check Point, after a command-and-control (C2) domain used in recent attacks. The attackers identities are unknown, but evidence suggests they may be based in Bulgaria.
More than 5,000 Windows workstations in Sweden, Bulgaria, Russia, Bermuda and Spain have been infected by a new malware capable of controlling social media accounts that was spread through Microsoft’s official app store in the form of rootkit gaming games.
Electron bot’s main capabilities are:
- SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results. This method is also used as a sell as a service to promote other websites ranking.
- Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate ‘clicks’ for advertisement, hence profiting financially by the amount of times an advertisement is clicked.
- Promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and ad clicking to generate profits.
- Promote online products to generate profits with ad clicking or increase store rating for higher sales.
The malware is claimed to have gone through multiple revisions in the years since, giving it new features and evasive capabilities. The bot is designed to load payloads fetched from the C2 server at run time, making it harder to identify. It also uses the cross-platform Electron framework.
Electron Bot’s main function is to open a hidden browser window in order to do SEO poisoning, generate ad clicks, route traffic to YouTube and SoundCloud material, and promote specific products in order to earn money from ad clicks or boost store rating for increased sales.
It also has features for managing social media accounts on Facebook, Google and Sound Cloud such as creating new accounts, signing in and commenting on and liking other postings to improve views. When customers download one of the infected applications from the Microsoft shop, the game loads but also drops and installs the next stage dropper through JavaScript.
Before the dropper downloads the real bot malware, there are steps to identify potential threat detection software from businesses like Kaspersky Lab, ESET, Norton Security, Webroot, Sophos, and F-Secure.
The list of game publishers that pushed the malware-laced apps is as follows –
- Lupy games
- Crazy 4 games
- Jeuxjeuxkeux games
- Akshi games
- Goo Games
- Bizzon Case
Finally the researchers concluded that ,” the bot’s payload is loaded dynamically at each run time , assailants can tweak the code and shift the bot’s behaviour to high danger.” “They may, for example, start a second stage and release fresh malware, such as ransomware or a RAT. This can all take place without the victim’s knowledge.”
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
Indicator Of Compromise
Executables:
f2a97841d58aa9050b2275302be6aa78
240e9adca3695da4ba177c0238141881
33145894a81fd3f6fde4f528630b1f7a
Zipped folders:
8720d6cefd71ef30c3fe66965fea841a
0a919ab3c63608e00290c9d4d4eb3a01
07ebca17e1083461fbbe3376fe5ec1ed
ec2c0a9be3ff2a922c02c9e1380eeabd
52c4990d30a8a7b560c57e775895ccad
CyberWorkx 