# Abusing Electron- based applications in targeted attacks ###### Jaromír Hořejší (@JaromirHorejsi) FIRSTCON23, Montreal, Canada ----- ## Outline ###### • Introduction • Overview of Electron framework • Methods of abusing Electron-based applications • Selected APT cases abusing Electron-based applications −Iron Tiger (MiMi secure chat) −Unclassified (Comm100 & LiveHelp100 customer engagement platforms) −Water Labbu (MeiQia live chat) • Conclusion ----- # Introduction ----- ## Introduction ##### • Open-source project • Uses web developing languages ###### −JavaScript, HTML, CSS ##### • Allows to maintain one codebase • Framework to build cross-platform desktop apps ----- ## Introduction ##### • Node.js ###### −server-side JavaScript runtime environment −runs V8 JavaScript engine −asynchronous event-driven JavaScript runtime −bundles npm (node package manager) ----- ## Introduction ##### • Multi-process architecture inherited from Chromium ###### −Framework architecturally similar to modern web browsers −Main process (single process) • Application entry point • Runs in Node.js environment • Creates and manages application windows (BrowserWindow module) • Controls application lifecycle (ready, launch window, finish launching, all windows closed, before quit, …) • Can interact with operating system via custom API ----- ## Introduction ----- ## Introduction ###### • Lots of applications built with Electron (https://www.electronjs.org/apps) −Productivity apps • Github Desktop −Social • Discord, Signal, Skype, WhatsApp −Business • Microsoft Teams, Slack −Developer tools • Visual Studio Code ----- # Overview of Electron framework ----- ## Overview of Electron framework ##### • Creating Electron project ###### −package.json, index.html, main.js, preload.js ----- ## Overview of Electron framework ##### • Structure of Electron application folder ###### −To distribute application, one needs to package it (using tools or manually) −Use tools like Electron Forge, electron-builder, … ----- ## Overview of Electron framework ##### • Packaging/building the project for different platforms ###### − npx electron-builder -mwl ----- ## Overview of Electron framework ##### • Compiling/packaging the project for different platforms ----- ## Overview of Electron framework ##### • ASAR archive ###### −ASAR stands for Atom Shell Archive Format −simple extensive archive format −Works like tar (tape archive) • Concatenates files together • No compression • Random access support (Electron can read arbitrary files from it without unpacking the whole archive) −Uses JSON to store information about files ----- ## Overview of Electron framework ----- ## Overview of Electron framework ##### • ASAR archive ###### −electron-test-1.0.0-mac.zip\electron-test.app\Contents\Resources\app.asar −electron-test-1.0.0.dmg\electron-test 1.0.0\electron test.app\Contents\Resources\app.asar −electron-test_1.0.0_amd64.snap\resources\app.asar −electron-test Setup 1.0.0.exe\$PLUGINSDIR\app-64.7z\resources\app.asar ----- ## Overview of Electron framework ##### • Tools for viewing/extracting ASAR archive contents ###### −7-zip plugin −winasar ###### −7-zip plugin −winasar ----- # Methods of abusing Electron- based applications ----- ## Methods of abusing Electron-based applications ----- ## Methods of abusing Electron-based applications ##### • Exploiting vulnerabilities ###### −CVE-2021-21220 had been used in-the-wild by threat actors • Vulnerability in Chromium prior to 89.0.4389.128 • Insufficient validation of untrusted input in V8 for x86_64 • the exploit code works when it is rendered in a non-sandboxed window ----- ## Methods of abusing Electron-based applications ----- ## Methods of abusing Electron-based applications ##### • Patching existing application ###### −Searching strings in app.asar archive and replacing them ----- # Selected APT cases ----- ## Selected APT cases ##### • Iron Tiger ###### −MiMi secure chat application ##### • Unclassified actor ###### −Comm100 & LiveHelp100 customer engagement platforms ##### • Water Labbu ###### −MeiQia live chat ----- ## MiMi secure chat application ----- ## MiMi secure chat application ##### • Desktop chat application ###### − electron-main.js file modified to download the malicious payload ----- ## MiMi secure chat application ##### • electron-main.js contains code obfuscated with Dean Edwards’ JS packer ----- ## MiMi secure chat application ##### • Dean Edwards’ JS packer ----- ## MiMi secure chat application ----- ## MiMi secure chat application ----- ## MiMi secure chat application ##### • We retrieved clean (left) and malicious (right) installer • The modification time interval between both versions was very short (1h30) ----- ## MiMi secure chat application ----- ## MiMi secure chat application ----- ### Comm100 & LiveHelp100 customer engagement platforms ##### • Based on our telemetry, actor behind the campaign compromised the web application since at least February 2022 • Client application downloading backdoor at least since August 2022 • Noticed around the end of September 2022 ----- ### Comm100 & LiveHelp100 customer engagement platforms ###### Loads ###### Drops ###### Sideloads ###### Trojanized Electron app ###### JavaScript backdoor ###### Legitimage EXE file ----- ### Comm100 & LiveHelp100 customer engagement platforms ----- ### Comm100 & LiveHelp100 customer engagement platforms ##### • /livehelp/collect returns obfuscated JavaScript code • Backdoor function executed by trojanized application • Collection of OS information ----- ### Comm100 & LiveHelp100 customer engagement platforms ----- ### Comm100 & LiveHelp100 customer engagement platforms ##### • Second stage script from /livehelp/init • Responsible for ###### −additional trojanizing/modifying the original application and dropping next stage malware −dropping additional malicious files ----- ## MeiQia(美洽) live chat application ##### • Discovery ###### −Found Cobalt Strike sample associated with campaign responsible for stealing ----- ## MeiQia(美洽) live chat application ----- ## MeiQia(美洽) live chat application ##### • Infection vector ###### −threat actor likely sent the exploit through the live chat box −weaponized HTML files containing a screenshot which looks like a withdrawal confirmation of crypto funds ----- ## MeiQia(美洽) live chat application ##### • Some old versions of the MeiQia(美洽) application ###### −open external links inside the MeiQia(美洽) application (loadURL) −render the webpage without sandboxing (from Electron 20, the sandbox is enabled for renderer processes without any further configuration) ###### // 为了安全考虑,所有链接都通过外部浏览器打开 // For security reasons, all links are opened through external browsers ###### // 为了安全考虑,所有链接都通过外部浏览器打开 // For security reasons, all links are opened through external browsers ----- ## MeiQia(美洽) live chat application ----- ## MeiQia(美洽) live chat application ###### • Batch/ps1 scripts patch MeiQia app − downloading already patched app.asar archive and replacing it − running a patcher script • Patcher script changes .\modules\create-window.js inside app.asar archive • Modifications include − Disabling auto updates − Setting fixed window size − Replacing the default URL (https://app.meiqia.com) with a malicious one − Embedding additional JavaScripts to be executed within MeiQia application context ----- ## MeiQia(美洽) live chat application ----- ## MeiQia(美洽) live chat application ----- # Conclusion ----- ## Takeaways ###### • Electron applications are usually “big” projects, consist of many files, which may be modified by threat actors • App.asar archives contain even more files, which may hide malicious payload • It is important to know where to look for possible malicious modifications • Supply chain attacks defeat even cautious targets • Running unsigned installer displays warnings on both Windows and MacOS, users likely used to ignore them ----- ## Conclusion ##### • Advanced threat actors with strong technical capabilities • Patched Electron applications serve as downloaders/droppers to load additional native malware • Custom malware toolkits working on multiple platforms • The motivation of first two actors is espionage, motivation of Water Labbu is financial ----- ## References -----