We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/AppxElectronBot
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This trojan is a modular search engine optimization (SEO) poisoning malware, which is used for social media promotion and click fraud. It uses the electron framework to imitate user browsing behavior to evade protection and connect to the attacker’s command-and-control (C2) server. Upon gaining access to the device, attackers load a dynamic JavaScript dropper, maintain persistence, and move laterally into the targeted network.
ElectronBot is mainly distributed via the Microsoft store platform and drops from dozens of infected applications, mostly games, which are constantly uploaded by the attackers.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
- Immediately isolate the affected device. If ElectronBot has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected endpoint might have been compromised. Check for the presence of other malware, and check for the presence of malicious documents that might have been used to deliver this malware.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts.
