Electron Bot is a new type of malware equipped with features to compromise social media applications. According to the Check Point Research Team, the malware acts as a backdoor. It has already infected over 5,000 machines around the globe in several countries, such as Sweden, Bulgaria, Russia, Bermuda and Spain. This malware executes several commands in a loop related to the social networks, including Facebook, Google and Sound Cloud. The actions executed by malware are: registering new accounts, logging in, commenting on and “like” other posts. Electron Bot is a modular SEO poisoning agent developed for social media promotion and executing click fraud movements. It has been distributed via Microsoft’s official store and dropped from a large volume of infected game applications, The malware doesn’t have malicious detections on VirusTotal or analysis by Check Point at the moment, as observed below. [CLICK IMAGES TO ENLARGE]

Figure 1: Electron Bot – no malicious detection on VirusTotal 21-02-2022 (source).

How Electron Bot malware works

This piece of malware has evolved over the years, with criminals adding new techniques and TTP in their arsenal. The malware was first detected at the end of 2018 by taking advantage of malicious ad campaigns to target users in the wild. The high-level diagram of Electron Bot can be seen below.

Figure 2: High-level diagram of Electron Bot by Check Point (source). As observed, the malware infection chain starts with downloading a fake application from Microsoft’s legitimate store that will drop the malicious payload on the disk — the malware itself. One analyzed application is dubbed “Temple Endless Runner 2,” infected with the malicious payload. 

Figure 3: Fake application that will drop the Electron Bot payload (source). After the initial execution, Electron Bot is executed in the background, and it downloads its configuration from the C2 server. The configuration files are the fake game to lure victims, embedded in an HTML file and some JavaScript and CSS files as presented below.

Figure 4: Configuration files downloaded from the C2 server during the malware execution (source). To achieve persistence, the malware creates a shortcut file into the Windows startup folder named “Windows Security Update.exe.” It is started when the Windows is initiated next time. About the malware commands, they are not the same for every victim. The commands depend on the victim’s geolocation, and the configuration is obtained from the C2 server after the language/geolocation validation.

Figure 5: Malware matches the victim geolocation to download the configuration file related to the commands to execute(source). In detail, a popular feature of this malware is the promotion of Youtube channels by watching videos and adding new comments, subscriptions, and so on.

Figure 6: Target commands found on several Youtube channels related to this malware (source).

Understanding the Electron Bot malware

Electron Bot is a new type of malware that takes advantage of victims’ machines to promote social media applications by watching videos and adding new comments and subscriptions. Although this malware doesn’t put the compromised users’ machines at risk, it is important to be aware of its features. In this sense, defensive software such as EDR and antivirus is a rule of thumb to fight these kinds of threads. The download of applications with a few reviews should be avoided as well, as criminals have used suspicious applications that impersonate legitimate ones to lure victims. Let’s take malware protection seriously and be aware of the emerging threats that have evolved in recent months.  

Sources:

Electron Bot malware analysis, Check Point