Beware Of Electron Bot Malware Hiding In Popular Gaming Apps At The Microsoft Store

malicious code
Another day another security risk. This one happens to get deployed via iffy software deployed on the Microsoft Store. This particular issue is related to installing games via the Microsoft Store, with those games often being clones of legitimate titles, so it is really easy to make this mistake.

Nicknamed Electron Bot by security researchers at Check Point Research, the malware runs a sort of browser instance in the background of a victim's computer to promote products, click on ads, and automate social media accounts. This malware is now showing up in clones of popular games, like Subway Surfer or Temple Run on the Microsoft Store. According to the researchers, there are roughly already 5,000 infected devices worldwide.

Electron Bot gets its name because it uses the Electron library system for JavaScript programming. This library uses the Chromium (which runs web browsers like Google Chrome and Microsoft Edge) rendering engine and NodeJS to provide a programming interface for runtime execution. When running the infected software, it grabs a compressed payload from a remote server utilizing a faux extension, such as an image file extension, so anti-virus software will not see the file as dangerous. Once downloaded, the payload gets extracted and then run as another hidden Electron-based application in the background.

electron page
Once running, the malicious Electron app adds a shortcut to itself in the startup directory, forcing it to run in the background every time the computer boots up. Other than this, there is very little local code on the malicious app itself. It utilizes the same functionality as the infected application to get a payload from a remote server. This new payload would then execute one of the functions related to the items outlined above, such as clicking on search result ads in the background to try to mess with SEO. It can also add comments to YouTube videos or product reviews to boost popularity or search results. It also can run a YouTube video in the background letting it play to completion as watch time is one of the ways the YouTube algorithm indicates popular videos.

While these actions are mostly benign to the end-user, this does not mean that these ne'er-do-wells can not use this functionality for more nefarious activity. Because the bot uses background downloading and execution of code, and the electron library allows system-level access, this grants programmers the ability to utilize GPU resources, modify system file access, and so on. That means it is entirely plausible that it could download ransomware or hide mining software or other additional malware in its payloads.

ms store
So what can you do to prevent infection? Being wary of whatever you download wherever you download it from is always the first step. Though some applications may look legitimate, make sure you read carefully. For example, Temple Run is the proper name of the endless runner, while the addition of extra words to the title to hit the same search results is a common tactic for those wishing to deploy these attacks.

Removing is fairly straightforward—find the app in your Programs list and uninstall, find the malware inside your %LocalAppData%\Packages folder, which might be labeled "Microsoft.Windows.SecurityUpdate_xxxxxxxxx" or "Microsoft.Windows.Skype_xxxxxxx", and delete them. Then remove the file from startup, which should be in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup and likely labeled as "WindowsSecurityUpdate" or "Skype." More details on the findings can be read at Check Point Research's website.