So far, hidden malware has been regularly detected in the Google Play Store. However, it turns out that the applications on the Microsoft Store are also not free from threats. Cybersecurity experts from Check Point Research have just announced the discovery of malware that has infected more than 5,000 programs in recent months. Computers in twenty countries. Most of the victims come from Sweden, Bermuda, Israel and Spain.

Dozens of infected apps

There were supposed to be dozens of infected apps in the Microsoft Store, including popular games like “Temple Run” and “Subway Surfer” from six publishers. The Electron-bot malware embedded in it was primarily able to control social media accounts Facebook, Google and Sound Cloud.

Among the possibilities of malware, Check Point analysts mention, among others:

SEO poisoning, i.e. a way by which cybercriminals create malicious websites and use search engine optimization techniques to display them prominently in search results;
– Ad click , i.e. generate clicks on ads,
– Promote accounts on social media
– Promote products online to generate revenue from ads for example.

Moreover, because the Electron Bot is loaded dynamically, attackers can use the installed malware as a backdoor to take full control of the victims’ computers.

Our test analyzed a new malware called Electron-Bot that has attacked more than 5,000 victims worldwide. Electron-Bot is easily spread via the official Microsoft Store platform. The Electron framework gives applications access to all computer resources, including GPU processing. Since the bot payload is dynamically loaded at runtime, attackers can modify the code and change the behavior of the bots to a high-risk profile. For example, they can start the next second stage and download new malware such as ransomware or RAT. All this can happen without the knowledge of the victim. Unfortunately, most people find the App Store reviews to be trustworthy, and they don’t hesitate to download the app from there. However, the risk is there because you never know which malicious elements to download. Daniel Alema, Malware Analyst at Check Point Research explains.

Checkpoint researchers have discovered evidence that the malware may have originated in Bulgaria. All variants in 2019-2022 have been uploaded to the Bulgarian public cloud “mediafire.com”, the promoted Sound Cloud account and YouTube channel is called “Ivaylo Yordanov” (he is a famous Bulgarian wrestler/football player), while Bulgaria is the country in the source code . Check Point Research reports that it has notified Microsoft of all game publishers associated with the campaign.

This is how the attack works

A malware campaign works in the following steps:

1. The attack starts with installing a Microsoft store app that pretends to be legitimate

2. After installation, the attacker downloads files and runs scripts

3. The downloaded malware fixed on your computer becomes victims by repeatedly executing different commands sent from the attacker’s C&C

To avoid detection, most malware control scripts are loaded dynamically at run time from the attacking servers. This allows attackers to modify the malware payload and change the behavior of the botnet at any time. Malware uses the Electron platform to mimic human browsing behavior and bypass website security.