The attackers have been using the malware for SEO poisoning, generating likes and shares for social media accounts, and generating revenue by making users’ devices click on programmatic ads.
A new malware capable of controlling social media accounts is actively being distributed through Microsoft’s official store and has already infected over 5,000 active machines worldwide, according to Check Point Research (CPR), which is the research wing of cybersecurity software firm Check Point.
The malware is called Electron bot and a modular SEO poisoning malware used for social media promotion and click fraud. It is distributed through the Microsoft store platform and dropped from many infected applications, mostly games. Versions of popular games like Temple Run and Subway Surfer were found to be infected, according to the cybersecurity firm.
The infected applications are indistinguishable from the original ones on the Microsoft Store, save for a few differences. SEO poisoning usually refers to the method where attackers create malicious websites and make them show up high on search engine results by using keyword stuffing and other black hat SEO methods.
Most of the scripts used to control the malware are loaded dynamically at run time from the attackers’ servers to avoid detection. This also allows the attackers to modify the malware’s payload and change the bots’ behaviour according to their requirements.
How it works and what it is used for
After a user downloads an infected program or game and launches it, a malware dropper is loaded in the background, dynamically from the attacker’s server. The dropper then executes several actions including downloading and installing malware that gains persistency in the startup folder. The malware is launched at the next system startup.
Apart from SEO poisoning, attackers can also use Electron Bot for making the user’s computer clicks on advertisements to generate revenue for attackers. They can also use it to promote social media accounts by using user accounts to like and share content and to promote online products by increasing store ratings.
Although the attackers are yet to be identified, CPR believes that they could be Bulgaria-based. It came to this conclusion based on the fact that the bot is used to promote various Bulgarian social media accounts and products.
Even though the bot hasn’t been used to engage in high-risk activities, it poses a persistent threat due to its capabilities and adaptability. CPR recommends paying special attention while downloading applications from the Microsoft store.