fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malware Infiltrates Microsoft Store via Clones of Popular Games

Malware Infiltrates Microsoft Store via Clones of Popular Games

A malware named Electron Bot has found its way into Microsoft’s Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of roughly 5,000 computers in Sweden, Israel, Spain, and Bermuda.

The malware, spotted and analyzed by cyber-intelligence firm Check Point, is a backdoor that gives the adversaries complete control over compromised machines, supporting remote command execution and real-time interactions.

The goal of the threat actors is social media promotion and click fraud, which they achieve by controlling social media accounts on Facebook, Google, YouTube, and Sound Cloud, as Electron Bot supports new account registration, commenting, and liking on these platforms.

Also Read: Completed DPIA Example: 7 Simple Helpful Steps To Create

Three years of evolution

The operation was first discovered at the end of 2018 when an early Electron Bot variant was submitted to the Microsoft Store as “Album by Google Photos,” published by a spoofed Google LLC entity.

Since then, the malware authors have added several new features to their tool and advanced detection evasion capabilities like dynamic script loading.

The malware is written in Electron, hence the name, and it can emulate natural browsing behavior and perform actions as if it’s a real website visitor.

For this, it opens a new hidden browser window using the Chromium engine in the Electron framework, sets the appropriate HTTP headers, renders the requested HTML page, and finally performs mouse movement, scrolling, clicks, and keyboard typing.

Human mouse movement emulation
Human mouse movement emulation (Check Point)

Electron Bot’s primary goals in the ongoing campaign analyzed by the Check Point researchers are:

  • SEO poisoning – Create malware-dropping sites that rank high on Google Search results.
  • Ad clicking – Connect to remote sites in the background and click on non-viewable advertisements.
  • Social media account promotion – Direct traffic to specific content on social media platforms.
  • Online product promotion – Increase store rating by clicking on its advertisements.
Hardcoded YouTube comments
Hardcoded YouTube comments (Check Point)

These functions are offered as services to those who want to increase their online profits illegitimately, so the gains for the malware operators are indirect.

Also Read: 12 Benefits of Data Protection for Business Success

As for attribution, Check Point reports finding evidence pointing to the actors being based in Bulgaria, but besides that, nothing is known about the malicious actors’ identity or location.

Infection chain

The infection chain begins with the victim installing one of the laced apps from within the Microsoft Store, an otherwise trustworthy source of software.

Electron Bot infection chain
Electron Bot infection chain (Check Point)

Upon launching the application, a JavaScript dropper is loaded dynamically in the background to fetch the Electron Bot payload and install it.

The malware launches at the next system startup, connects to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws.com or 11k[.]online), retrieves its configuration, and executes any commands in the pipeline.

Because the main scripts are loaded dynamically at run time, the JS files dropped on the machine’s memory are very small and seemingly innocuous.

Commands supported by Electron Bot
Commands supported by Electron Bot (Check Point)

More than just a game

All laced games identified by Check Point featured the expected functionality while the malicious operations unfolded in the background.

This results in having positive user reviews on the Microsoft Store. For instance, Temple Endless Runner 2, which was published on September 6, 2021, has close to a perfect five-star rating from 92 reviews.

Of course, the crooks constantly refresh their lures and use different game titles and apps to deliver the malware payloads to unsuspecting victims.

Laced Temple Runner game on the Microsoft Store
Laced Temple Runner game on the Microsoft Store (Check Point)

For now, users may take note of the publishers who released confirmed malicious game apps using the following names:

  • Lupy games
  • Crazy 4 games
  • Jeuxjeuxkeux games
  • Akshi games
  • Goo Games
  • Bizzon Case

It is important to emphasize that while the existing version of Electron Bot isn’t causing catastrophic damage to the infected machines, the threat actors may easily modify the code to fetch a second-stage payload like a RAT or even ransomware.

Check Point suggests that Windows users avoid downloading applications with a low review count, scrutinize the developer/publisher details, and ensure that the app name is correct and not typo-squatted.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us