Electron Bot have infiltrated Microsoft’s Official Store via clones of popular games like Subway Surfer and Temple Run and infected around 5,000 machines in Sweden, Israel, Spain, and Bermuda. Check Point discovered and studied the malware. It is a backdoor that provides attackers unlimited access over infected PCs, allowing for remote command execution and real-time interactions.
The threat actors’ purpose is social media promotion and click fraud, which they do by gaining control of social media accounts on Facebook, Google, YouTube, and Sound Cloud. It is because Electron Bot supports new account registration, commenting, and liking.
An early Electron Bot variation was uploaded to the Microsoft Store as “Album by Google Photos,” published by a faked Google LLC business. The operation was identified toward the end of 2018. Since then, the malware developers have added several additional features and enhanced detection evasion capabilities, such as dynamic script loading to their tool.
The malware, named after the Electron programming language, can mimic natural browsing behavior and conduct acts as if it were a real website visitor. It accomplishes this by leveraging the Electron framework’s Chromium engine to establish a new hidden browser window, setting the relevant HTTP headers, rendering the requested HTML page, and lastly, performing mouse movement, scrolling, clicks, and keyboard typing.
In the continuing campaign being investigated by Check Point researchers, Electron Bot’s key aims are:
- SEO poisoning: Create malware-infecting websites that appear high in Google search results.
- Ad clicking: In the background, connect to external sites and click on non-viewable advertising.
- Social media account promotion: Direct visitors to certain content on social media networks.
- Online product promotion: Enhance the store rating by clicking on its advertisements.
These capabilities are supplied as a service to individuals who wish to make money online illegally. Therefore, the malware operators only benefit indirectly. In terms of attribution, Check Point claims to have discovered information pointing to the malicious actors being based in Bulgaria, but nothing further is known about their identity or location.