Check Point Research (CPR) detected a new malware, dubbed Electron Bot, which has infected over 5,000 active machines worldwide. CPR chose the name based on the last campaign’s C+C domain Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com.
Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud. It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by the attackers.
The attackers’ activity began as an ad clicker campaign discovered at the end of 2018. The malware in question was hiding in the Microsoft store as an app called “Album by Google Photos” which claimed to be published by Google LLC.
The malware has constantly evolved through the years as attackers add new features and techniques to its arsenal.
The bot is built with Electron, a framework for building cross-platform desktop applications using Web scripts. The framework combines the Chromium rendering engine and the Node.js runtime, giving it the capabilities of a browser controlled by scripts like JavaScript.
To avoid detection, most of the scripts controlling the malware are loaded dynamically at run time from the attackers’ servers. This enables the attackers to modify the malware’s payload and change the bots’ behaviour at any given time.
Electron bot’s main capabilities are:
- SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results. This method is also used as a sell as a service to promote other websites ranking.
- Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate ‘clicks’ for advertisement, hence profiting financially by the amount of times an advertisement is clicked.
- Promote social media accounts, such as YouTube and SoundCloud to direct traffic to specific content and increase views and ad clicking to generate profits.
- Promote online products to generate profits with ad clicking or increase store rating for higher sales.
- In addition, the malware’s payload contains functions that control social media accounts on Facebook, Google and Sound Cloud. It can register new accounts, log in, and comment on and “like” other posts.
- The malware uses the Electron framework to imitate human browsing behavior and evade website protections.
- The infection chain is similar to most campaigns, starting with the installation of an infected application downloaded from the Microsoft Store.
- When the user launches the game, a JavaScript dropper is loaded dynamically in the background from the attackers’ server. It then executes several actions including downloading and installing the malware and gaining persistency on the startup folder.
- The malware is launched at the next system startup. It establishes a connection with the C+C and receives a dynamic JavaScript payload with a set of capability functions. Finally, the C+C sends the configuration file that contains commands to execute.
The Campaign:
The campaign begins when a user downloads one of the infected applications from the legitimate Microsoft store. To demonstrate, CPR used the game ‘Temple Endless Runner 2’, which was published on September 6, 2021 and has close to one hundred reviews.
The game is built with Electron so most of the files in the folder are associated with the Electron framework. The executable file “app.exe” is the main part of the framework and is responsible for rendering all the scripts that are located in the resource folder.
The resource folder houses an ASAR file named “app.asar”, formatted as an archive and used to package source code for an Electron application. The source code will be unpacked only during runtime.
In this analysis, researchers used the “ASAR 7zip extension” to extract the source code from the “app.asar” file.
The source code folder contains a few JavaScript\html files. These files are surprisingly small and most of them contain less than 10 lines of code. However, the files are small because the main scripts are loaded dynamically at run time.
Conclusion and Safety Tips:
Although the bot currently does not engage in high risk activities on the infected machine, it is important to be aware of its capabilities.
This research analysed a new malware called Electron Bot that has attacked more than 5,000 victims globally. Electron Bot infects machines when downloading certain apps from the official Microsoft store platform. The Electron framework provides Electron apps with access to all of the computer resources, including GPU computing. As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behaviour to high risk. For example, they can initialise another second stage and drop a new malware such as ransomware or a RAT. All of this can happen without the victim’s knowledge.
Given most people think that you can trust application store reviews, they do not hesitate to download an application from there. However, CPR researchers warn that there is incredible risk with that and all users should follow a few safety tips when downloading applications:
- Avoid downloading an application with small amount of reviews
- Look for applications with good, consistent and reliable reviews
- Pay attention to suspicious application naming which is not identical to the original name