Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
A recent malware disseminated via Microsoft's official store and dubbed Electron Bot is capable of taking control over social media applications and infected around 5,000 machines around the globe.
Electron Bot is a new type of malware equipped with features to compromise social media applications. According to the Check Point Research Team, the malware acts as a backdoor. It has already infected over 5,000 machines around the globe in several countries, such as Sweden, Bulgaria, Russia, Bermuda and Spain.
This malware executes several commands in a loop related to the social networks, including Facebook, Google and Sound Cloud. The actions executed by malware are: registering new accounts, logging in, commenting on and "like" other posts.
Electron Bot is a modular SEO poisoning agent developed for social media promotion and executing click fraud movements. It has been distributed via Microsoft's official store and dropped from a large volume of infected game applications,
The malware doesn't have malicious detections on VirusTotal or analysis by Check Point at the moment, as observed below. [CLICK IMAGES TO ENLARGE]
Figure 1: Electron Bot - no malicious detection on VirusTotal 21-02-2022 (source).
Become a certified reverse engineer!
How Electron Bot malware works
This piece of malware has evolved over the years, with criminals adding new techniques and TTP in their arsenal. The malware was first detected at the end of 2018 by taking advantage of malicious ad campaigns to target users in the wild.
The high-level diagram of Electron Bot can be seen below.
Figure 2: High-level diagram of Electron Bot by Check Point (source).
As observed, the malware infection chain starts with downloading a fake application from Microsoft's legitimate store that will drop the malicious payload on the disk — the malware itself. One analyzed application is dubbed "Temple Endless Runner 2," infected with the malicious payload.
Figure 3: Fake application that will drop the Electron Bot payload (source).
After the initial execution, Electron Bot is executed in the background, and it downloads its configuration from the C2 server. The configuration files are the fake game to lure victims, embedded in an HTML file and some JavaScript and CSS files as presented below.
Figure 4: Configuration files downloaded from the C2 server during the malware execution (source).
To achieve persistence, the malware creates a shortcut file into the Windows startup folder named "Windows Security Update.exe." It is started when the Windows is initiated next time.
About the malware commands, they are not the same for every victim. The commands depend on the victim's geolocation, and the configuration is obtained from the C2 server after the language/geolocation validation.
Figure 5: Malware matches the victim geolocation to download the configuration file related to the commands to execute(source).
In detail, a popular feature of this malware is the promotion of Youtube channels by watching videos and adding new comments, subscriptions, and so on.
Figure 6: Target commands found on several Youtube channels related to this malware (source).
Become a certified reverse engineer!
Understanding the Electron Bot malware
Electron Bot is a new type of malware that takes advantage of victims' machines to promote social media applications by watching videos and adding new comments and subscriptions. Although this malware doesn't put the compromised users' machines at risk, it is important to be aware of its features. In this sense, defensive software such as EDR and antivirus is a rule of thumb to fight these kinds of threads. The download of applications with a few reviews should be avoided as well, as criminals have used suspicious applications that impersonate legitimate ones to lure victims.
Let's take malware protection seriously and be aware of the emerging threats that have evolved in recent months.
Sources:
- Electron Bot malware analysis, Check Point
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis