Beware Of Electron Bot Malware Hiding In Popular Gaming Apps At The Microsoft Store
Nicknamed Electron Bot by security researchers at Check Point Research, the malware runs a sort of browser instance in the background of a victim's computer to promote products, click on ads, and automate social media accounts. This malware is now showing up in clones of popular games, like Subway Surfer or Temple Run on the Microsoft Store. According to the researchers, there are roughly already 5,000 infected devices worldwide.
Electron Bot gets its name because it uses the Electron library system for JavaScript programming. This library uses the Chromium (which runs web browsers like Google Chrome and Microsoft Edge) rendering engine and NodeJS to provide a programming interface for runtime execution. When running the infected software, it grabs a compressed payload from a remote server utilizing a faux extension, such as an image file extension, so anti-virus software will not see the file as dangerous. Once downloaded, the payload gets extracted and then run as another hidden Electron-based application in the background.
While these actions are mostly benign to the end-user, this does not mean that these ne'er-do-wells can not use this functionality for more nefarious activity. Because the bot uses background downloading and execution of code, and the electron library allows system-level access, this grants programmers the ability to utilize GPU resources, modify system file access, and so on. That means it is entirely plausible that it could download ransomware or hide mining software or other additional malware in its payloads.
So what can you do to prevent infection? Being wary of whatever you download wherever you download it from is always the first step. Though some applications may look legitimate, make sure you read carefully. For example, Temple Run is the proper name of the endless runner, while the addition of extra words to the title to hit the same search results is a common tactic for those wishing to deploy these attacks.
Removing is fairly straightforward—find the app in your Programs list and uninstall, find the malware inside your %LocalAppData%\Packages folder, which might be labeled "Microsoft.Windows.SecurityUpdate_xxxxxxxxx" or "Microsoft.Windows.Skype_xxxxxxx", and delete them. Then remove the file from startup, which should be in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup and likely labeled as "WindowsSecurityUpdate" or "Skype." More details on the findings can be read at Check Point Research's website.