December 9, 2023

A new strain of malware called Electron Bot, has already infected more than 5,000 machines worldwide. Once it takes over a victim’s system, it can control their social media accounts on services such as Facebook and SoundCloud.

It can register new accounts, log in with your credentials, share posts, and even comment on and like other posts. Check Point Research, the research firm that discovered the malware, found it was being actively distributed through Microsoft’s official app Store, where it masquerades as popular games like Temple Run or Subway Surfer.

Advertisements

Once downloaded on to a user’s system, the malware begins a SEO poisoning routine, a method where threat actors create fake websites and use search engine optimisation tactics to rank them high in search results online.

It also functions as an “ad-clicker” an automatic process where it will constantly generate clicks on remote websites to increase ad revenue. Since it can take control of social media accounts, it can promote fake apps and websites through them as well.

When an user launches an infected app, a JavaScript dropper is loaded dynamically in the background from the attackers’ server, It then executes several actions including downloading and installing the malware and gaining persistency on the startup folder.

This research analyzed a new malware called Electron Bot that has attacked more than 5,000 victims globally. Electron Bot infects machines when downloading certain apps from the official Microsoft store platform. The Electron framework provides Electron apps with access to all the computer resources, including GPU computing. As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behavior to high risk

CPR researchers warn that there is incredible risk with that, and all users should follow a few safety tips when downloading applications:

  • Avoid downloading an application with small amount of reviews
  • Look for applications with good, consistent, and reliable reviews
  • Pay attention to suspicious application naming which is not identical to the original name
Advertisements

Indicators of Compromise

Executables:

  • f2a97841d58aa9050b2275302be6aa78
  • 240e9adca3695da4ba177c0238141881
  • 33145894a81fd3f6fde4f528630b1f7a

Zipped folders:

  • 8720d6cefd71ef30c3fe66965fea841a
  • 0a919ab3c63608e00290c9d4d4eb3a01
  • 07ebca17e1083461fbbe3376fe5ec1ed
  • ec2c0a9be3ff2a922c02c9e1380eeabd
  • 52c4990d30a8a7b560c57e775895ccad

Game publishers:

  • Lupy games
  • Crazy 4 games
  • Jeuxjeuxkeux games
  • Akshi games
  • Goo Games
  • Bizzon Case

C&C Domains:

  •  11k[.]online
  • Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com

Dropping domain:

  •  s3[.]eu-west-1[.]amazonaws[.]com
  • cdn[.]lupygames[.]com
  • crazy4games-flash[.]s3[.]eu-west-1[.]amazonaws[.]com
  • ytmp3[.]dog
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2

CISA KEV Update Part II – December 2023

December 7, 2023

Atlassian fixes critical RCE vulnerabilities in its products

December 6, 2023

Microsoft Echo’s on APT 28 exploiting CVE-2023-23397

December 5, 2023

Papercut Privilege Escalation Vulnerability Unearthed

December 5, 2023
%d