Electron Bot malware is running rampant in the Microsoft Store, opening backdoors on victims' computers

Fake versions of popular games such as Temple Run and Subway Surfers are being used to distribute dangerous malware through the Microsoft Store to users of Windows 10 and Windows 11.

Security firm Check Point Research found that malicious versions of the titles were riddled with Electron Bot malware and have already infected thousands of computers in countries incuding Sweden, Bulgaria and Russia. The malware gives an attacker a backdoor into a victim's computer allowing for complete system control, as well as control of social media accounts.

See also:

• Microsoft confirms Windows 11 system reset bug that leaves behind data after wiping
• Microsoft is bringing new Emoji Panel, Voice Typing and other shortcuts to Windows 11
• Microsoft is testing an annoying desktop watermark if you install Windows 11 on unsupported hardware

Publishers including Lupy games, Crazy 4 games, Jeuxjeuxkeux games, Akshi games, Goo Games and Bizzon Case have been found to be constantly submitting malicious clones of popular games to the Microsoft Store. Check Point Research (CPR) has reported all of the games and publishers to Microsoft, but it shows signs of turning into a game of whack-a-mole.

CPR explains that the Electron Bot is based on the Electron framework, and the attackers behind it have been active since 2018. The research firm says:

The framework combines the Chromium rendering engine and the Node.js runtime, giving it the capabilities of a browser controlled by scripts like JavaScript.

To avoid detection, most of the scripts controlling the malware are loaded dynamically at run time from the attackers’ servers. This enables the attackers to modify the malware’s payload and change the bots’ behavior at any given time.

Analysis of code and activity strongly suggests that the attacks originate from Bulgaria.

CPR has some tips to help people avoid infection:

• Avoid downloading an application with small amount of reviews
• Look for applications with good, consistent and reliable reviews
• Pay attention to suspicious application naming which is not identical to the original name

But if your computer has become infected, the company has some further advice:

Remove the application downloaded from Microsoft Store.

1. Go to settings > apps.
2. Find the app in the list and select uninstall.

Remove the malware’s package folder.

1. Go to C:\Users\<username>\AppData\Local\Packages.
2. Look for one of the following folders and remove it.
   • "Microsoft.Windows.SecurityUpdate_cw5n1h2txyewy"
   • "Microsoft.Windows.Skype_cw5n1h2txyewy"

Remove associated LNK file from Start Up folder.

1. Go to C:\Users\<username>\AppData\Microsoft\Windows\Start Menu\Programs\Startup.
2. Look for a file named Skype.lnk or WindowsSecurityUpdate.lnk and remove it.

More information is available on the Check Point Research website.

Image credit: monticello / Shutterstock