Check Point Research (CPR) reports over a new kind of malware distributed via Microsoft’s official store. The new threat is capable of taking control over social media accounts on SoundCloud, Google and Facebook.
The researchers report that malware has already infected over 5000 active devices worldwide. It shows the ability to register new accounts, log in, make comments and even “like” other posts. Threat actors used such popular games as “Subway Surfer” and “Temple Run” to disperse the malware.
Subsequently they can use it as a backdoor gaining full control on the victim’s machine. Most victims targeted by the Electron Bot were from Sweden, Bermuda, Spain, Bulgaria and Russia.
CPR has already reported to Microsoft the found malware and all detected game publishers who are behind the campaign. The name of the malware researchers from CPR based on the last campaign’s C&CdomainElectron-Bot[.]s3[.]eu-central-1[.]amazonaws.com. The malware which is a modular SEO was used for click fraud and social media promotion.
The attackers began their malicious activity as an ad click campaign at the end of 2018. Back at that time the malware was hiding behind an app called “Album by Google Photos” in the Microsoft Store pretending to be the legitimate product of Google LLC. Over the years the malware received significant updates like new features and techniques. These days threat actors mainly distribute it via the Microsoft store platform, dropping from dozens of infected applications ( which in most cases are games). They also don’t forget to regularly upload it.
The malware uses the Electron framework that imitates human browsing behavior and evades website protections. Electron is a framework designed for building cross-platform desktop applications that use Web scripts. It combines Node.js runtime and Chromium rendering engine allowing for itself to have the capabilities of a browser which is controlled by scripts, for example JavaScript.
To avoid detection threat actors load the malware dynamically at run time from their servers. Such actions allow them to change the bots’ behavior and modify the malware’s payload at any time. Researchers described the next main capabilities of the Electron Bot:
Researchers describe the infection chain for the malware as usual for such a kind. It starts with the installation of an infected application that the user downloads from the Microsoft Store.
When the user launches the game, a JavaScript dropper loads dynamically in the background from the attackers’ server. After that several actions are being executed and among them downloading and installing the malware and gaining persistence on the startup folder.
When it comes to malware at the next system startup it launches. The malware also establishes connection with the C&C and subsequently receives a dynamic JavaScript payload with a set of capability functions. At the very end of the malicious process setup the C&C sends the configuration file containing commands to execute.
The researchers note that for now the malware doesn’t engage in any high risk activities on infected machines but it would be wise to know how to avoid the infection at all. Electron Bot can also serve for threat actors as a dropper for RAT or even ransomware. In addition it uses all of the computer resources, including GPU computing.
It is a usual thing for users to believe in the safety of the apps with at least some number of reviews. But one looking for an app might actually oversee the importance. We will repeat this once more: it is not enough for an app to be regarded legit and trusted solely because it has some number of reviews.
You need to look for differences in those reviews. Basically they should be read like the ones written by real people. It might not be a difficult task to do to see if a user puts themselves in the shoes of a real user.
Just think of your hypothetical review of the app you have been working with for extensive time. Whatever comes into your mind might be the example of a normal review by a real person.
In the end of their new threat review article researchers from CPR added a few safety tips on how to avoid getting infected with such and similar kinds of malware. And they will be the following:
In addition to these tips you can also check the publisher of the app and look for some info on it on the internet. If it’s something shady you will most likely get the expected result.
About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…
About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…
About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…
About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…
About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…
About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…