Fake versions of popular games such as Temple Run and Subway Surfers are being used to distribute dangerous malware through the Microsoft Store to users of Windows 10 and Windows 11.
Security firm Check Point Research found that malicious versions of the titles were riddled with Electron Bot malware and have already infected thousands of computers in countries including Sweden, Bulgaria, and Russia. The malware gives an attacker a backdoor into a victim's computer allowing for complete system control, as well as control of social media accounts.
Publishers including Lupy games, Crazy 4 games, Jeuxjeuxkeux games, Akshi games, Goo Games and Bizzon Case have been found to be constantly submitting malicious clones of popular games to the Microsoft Store. Check Point Research (CPR) has reported all of the games and publishers to Microsoft, but it shows signs of turning into a game of whack-a-mole.
CPR explains that the Electron Bot is based on the Electron framework, and the attackers behind it have been active since 2018. The research firm says:
The framework combines the Chromium rendering engine and the Node.js runtime, giving it the capabilities of a browser controlled by scripts like JavaScript.
To avoid detection, most of the scripts controlling the malware are loaded dynamically at run time from the attackers’ servers. This enables the attackers to modify the malware’s payload and change the bots’ behavior at any given time.
Analysis of code and activity strongly suggests that the attacks originate from Bulgaria.
CPR has some tips to help people avoid infection:
• Avoid downloading an application with a small number of reviews
• Look for applications with good, consistent, and reliable reviews
• Pay attention to suspicious application naming which is not identical to the original name
But if your computer has become infected, the company has some further advice:
Remove the application downloaded from Microsoft Store. 1. Go to settings > apps.
2. Find the app in the list and select uninstall.
Remove the malware’s package folder. 1. Go to C:\Users\<username>\AppData\Local\Packages.
2. Look for one of the following folders and remove it.
○ "Microsoft.Windows.SecurityUpdate_cw5n1h2txyewy"
○ "Microsoft.Windows.Skype_cw5n1h2txyewy"
Remove associated LNK file from Start Up folder. 1. Go to C:\Users\<username>\AppData\Microsoft\Windows\Start Menu\Programs\Startup.
2. Look for a file named Skype.lnk or WindowsSecurityUpdate.lnk and remove it.
More information is available on the
Check Point Research website.
source
