Microsoft App Store infiltrated by Electron Bot -laced gaming apps

Backdoor malware threat can take over social media accounts

Microsoft Store spreading malware via fake gaming apps

Have you been on the Microsoft app store and seen any of the popular game apps thinking of maybe downloading one? Do not rush, it could be malware. In recent days, Israeli cybersecurity company Checks Point found a suspicious malware which was later named Electron Bot, which is a clear reference point to a command-and-control (C2) domain used in recent campaigns.

This new malware seemingly could control social media accounts and is distributed through Microsoft's official app store. The gaming apps are trojanized and have already infected more than 5,000 Windows machines in Sweden, Bulgaria, Russia, Bermuda, and Spain. It is unclear who is the attackers, but current evidence shows, that they could be from Bulgaria.^[1]

The Electron Bot malware allows attackers to take control of compromised machines. The malware could perfectly execute its mission remotely, and users are easily misled. Malware enables its operators to register new accounts, log in, and comment on and like other social media posts.^[2] Experts and researchers describe “Electron Bot” as a “modular SEO-poisoning malware”.

So-called SEO poisoning malware is used best for social-media promotion and clicks fraud. In a typical SEO-poisoning attack, threat actors create malicious websites and use search engine optimization tactics that force those sites to the top of search results.

Fake followers buyers could cause serious threats

Electron Bot seems to be heavily modified and become very evasive and difficult to detect. With Electron Bot the goal is to open a secret hidden browser window and with it, carry out SEO poisoning, generate clicks for ads and generate profits. But the malware could also control personal social media accounts, like Facebook or Gmail. Not only control, but it could help to create more fake ones.^[3]

Furthermore, Electron Bot can also promote online products to increase store ratings or generate revenues as well. Apart from performing social media promotion, it has connections with bought users and followers tendency which is popular across various social media platforms. Anyone who is willingly buying fake followers or views could potentially be financing such activities too.

On the more technical side, Electron Bot gets triggered when users download one of the infected applications. When the app is launched, it does load, but at the same time, the next stage dropper via JavaScript is installed. It doesn't mean that all Microsoft app store apps are dangerous. However, publishers like Lupy games, Crazy 4 games, Jeuxjeuxkeux games, Akshi games, Goo Games, and Bizzon Case have all already been impacted by the situation.

SEO poisoning is used as a form of advertisement

SEO poisoning-type of malware is especially threatening as it could cause a spectrum of problems. Simply talking, SEO also known as search poisoning, is an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results.^[4] Usually, the sites are associated with terms that large numbers of people are likely to be using.

In this case, gaming apps are a savvy choice as they are one of the most popular apps in app stores. It is even more disturbing than the Electron Bot is distributed using the popular Microsoft Store platform. However, that is the point, as malicious SEO poisoning is all about reaching a lot of people quite quickly and easily. Yet, this malware needs to be improved as cyber security and people's awareness are getting better.

Interestingly enough, huge SEO poisoning schemes tend to happen during major political campaigns and other major world events.^[5] But there's always a way to protect yourself. Security experts recommend that you keep browser and antivirus software up to date, avoid clicking suspicious-looking links and never provide personal information online unless the site is truly valid and the transaction is secure.