Malware is distributed through the Microsoft Store

Η Check Point Research (CPR) detected new malicious software that is widely distributed through game apps on its official store Microsoft. By name Electron-muzzle, malware can control its victims's social media accounts, including Facebook, Google and Sound Cloud. Malware can register new accounts, log in, comment and do “like”In other posts. THE CPR counts so far 5.000 victims in 20 countries. Η CPR prompts users to immediately delete applications from different publishers. 

• Popular games As the "Temple Run"Or"Subway SurferWere found to be malicious.

• Attackers can use the installed malware as a backdoor to gain complete control over the victim's machine

• Most victims come from Sweden, Bermuda, Israel and Spain

Η Check Point Research (CPR) has identified new malware that is widely distributed through its official store Microsoft. With more than 5.000 machines already affected, the malware constantly executes attackers' commands, such as controlling social media accounts on Facebook, The Google and Sound Cloud. Malware can register new accounts, log in, comment and do “like”In other posts.   

By name Electron-muzzle by CPR, the full capabilities of the malware are as follows:  

• SEO poisoning, a method of attack in which cybercriminals create malicious websites and use search engine optimization tactics to make them appear prominent in search results. This method is also used as a sale as a service to promote the ranking of other sites.

• Ad Clicker, a computer infection that runs on background και συνδέεται συνεχώς με απομακρυσμένους ιστότοπους για να παράγει “κλικ” για advertisements, με αποτέλεσμα να κερδίζει οικονομικά από το πόσες φορές γίνεται κλικ σε μια διαφήμιση.

• Promotion of social media accounts, As the YouTube and SoundCloud, to drive traffic to specific content and increase views and advertising clicks to generate profits.

• Promotion of online products, to generate profits by clicking on ads or increasing the store rating for higher sales.

Επιπλέον, καθώς το ωφέλιμο load of Electron-muzzle loaded dynamically, attackers can use the installed malware as backdoor cuts to gain complete control over the victim's machine. 

Distribution through game applications in Microsoft Store

There are dozens of infected applications in her store Microsoft. Popular games like “Temple Run"Or"Subway SurferWere found to be malicious. THE CPR has identified several malicious game providers, where all applications under these providers are associated with the malicious campaign:

• Loopy games. 

• Crazy 4 games. 

• Jeuxjeuxkeux games 

• akshi games 

• goo games 

• bison case 

Victims

So far, the CPR has counted 5.000 in 20 countries. Most of the victims come from Sweden, Bermuda, Israel and Spain.  

How malware works

The malicious campaign works with the following steps:  

1. The attack starts with the installation of an application Microsoft Store pretending to be legal. 

2. After installation, the attacker downloads files and executes scripts 

3. The downloaded malware becomes resistant to the victim's machine by repeatedly executing various commands sent by the C&C of the attacker

To prevent crawling, most of the malware-controlled scripts are loaded dynamically when executed by attacker's servers.

This allows attackers to modify the payload of malware and change their behavior. bots anytime. Malware uses the framework Electron to mimic human behavior browsing και να παρακάμψει τις προστασίες ιστότοπων.

Report

There are indications that the malware campaign started in Bulgaria, such as:

1. All variants between 2019 - 2022 were uploaded to public storage "mediafire.comFrom Bulgaria. 
2. Account Sound Cloud and the channel YouTube promoting muzzle is with the name “I Ivaylo Yordanov", A popular Bulgarian wrestler / soccer player 
3. Bulgaria is the country most promoted in the source code

Revelation

Η CPR reported to Microsoft all game publishers identified and associated with this campaign.

Comment by Daniel Alima, Malware Analyst at Check Point Research: 

"This investigation analyzed a new malware called Electron-Bot which has affected more than 5.000 victims worldwide. The Electron-Bot descends and spreads easily from its official platform Microsoft Store.

The frame Electron provides in applications Electron access to all computer resources, including computers GPU. As its payload muzzle loaded dynamically at each execution time, attackers can modify the code and change its behavior muzzle at high risk. For example, they can start another second stage and launch new malware like ransomware or one RAT. All this can happen without the victim's knowledge.

Most people think that you can trust app store reviews and do not hesitate to download an app from there. There is an incredible danger with this, as you never know what malicious data you can download ".

Security tips

To be as safe as possible, before downloading an app from the App Store:  

1. Avoid downloading an application with a small number of reviews 

2. Look for applications with good, consistent and reliable reviews 

3. Beware of suspicious application names that are not identical to the original name