Check Point Research (CPR) has spotted new malware that is actively being distributed through Microsoft’s official store. With over 5 000 machines already affected, the malware continually executes attacker commands, such as controlling social media accounts on Facebook, Google and Sound Cloud.
The malware can register new accounts, log in, comment on and “like” other posts.
“This research analysed a new malware called Electron-Bot that has attacked more than 5 000 victims globally,” says Daniel Alima, malware analyst at Check Point Research. “Electron-Bot is downloaded and easily spread from the official Microsoft store platform. The Electron framework provides Electron apps with access to all of the computer resources, including GPU computing.
“As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behavior to high risk. For example, they can initialise another second stage and drop a new malware such as ransomware or a RAT. All of this can happen without the victim’s knowledge. Most people think that you can trust application store reviews, and they don’t hesitate to download an application from there. There’s incredible risk with that, as you never know what malicious items you can be downloading.”
The malware’s full capabilities are as follows:
• SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimisation tactics to make them show up prominently in search results. This method is also used as a sell as a service to promote other websites ranking.
• Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate “clicks” for advertisement, hence profiting financially by the amount of times an advertisement is clicked.
• Promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and ad clicking to generate profits.
• Promote online products, to generate profits with ad clicking or increase store rating for higher sales.
In addition, as Electron-bot’s payload is dynamically loaded, the attackers can use the installed malware as a backdoor in order to gain full control on the victim’s machine.
There are dozens of infected applications in the Microsoft store, says Check Point. Popular games such as “Temple Run” or “Subway Surfer” were found to be malicious.