PowerPoint Presentation Abusing Electron- based applications in targeted attacks Jaromír Hořejší (@JaromirHorejsi) FIRSTCON23, Montreal, Canada 06 June 2023 2 | ©2023 Trend Micro Inc. Outline • Introduction • Overview of Electron framework • Methods of abusing Electron-based applications • Selected APT cases abusing Electron-based applications − Iron Tiger (MiMi secure chat) − Unclassified (Comm100 & LiveHelp100 customer engagement platforms) − Water Labbu (MeiQia live chat) • Conclusion Introduction 4 | ©2023 Trend Micro Inc. Introduction • Open-source project • Uses web developing languages − JavaScript, HTML, CSS • Allows to maintain one codebase • Framework to build cross-platform desktop apps − MacOS, Linux, Windows • Embeds Chromium and Node.js into its binary 5 | ©2023 Trend Micro Inc. Introduction • Node.js − server-side JavaScript runtime environment − runs V8 JavaScript engine − asynchronous event-driven JavaScript runtime − bundles npm (node package manager) 6 | ©2023 Trend Micro Inc. Introduction • Multi-process architecture inherited from Chromium − Framework architecturally similar to modern web browsers − Main process (single process) • Application entry point • Runs in Node.js environment • Creates and manages application windows (BrowserWindow module) • Controls application lifecycle (ready, launch window, finish launching, all windows closed, before quit, …) • Can interact with operating system via custom API 7 | ©2023 Trend Micro Inc. Introduction − Renderer process • Spawn for each open BrowserWindow • Responsible for rendering web content − GPU process, sandboxed utility process 8 | ©2023 Trend Micro Inc. Introduction • Lots of applications built with Electron (https://www.electronjs.org/apps) − Productivity apps • Github Desktop − Social • Discord, Signal, Skype, WhatsApp − Business • Microsoft Teams, Slack − Developer tools • Visual Studio Code Overview of Electron framework 10 | ©2023 Trend Micro Inc. Overview of Electron framework • Creating Electron project − package.json, index.html, main.js, preload.js 11 | ©2023 Trend Micro Inc. Overview of Electron framework • Structure of Electron application folder − To distribute application, one needs to package it (using tools or manually) − Use tools like Electron Forge, electron-builder, … 12 | ©2023 Trend Micro Inc. Overview of Electron framework • Packaging/building the project for different platforms − npx electron-builder -mwl 13 | ©2023 Trend Micro Inc. Overview of Electron framework • Compiling/packaging the project for different platforms 14 | ©2023 Trend Micro Inc. Overview of Electron framework • ASAR archive − ASAR stands for Atom Shell Archive Format − simple extensive archive format − Works like tar (tape archive) • Concatenates files together • No compression • Random access support (Electron can read arbitrary files from it without unpacking the whole archive) − Uses JSON to store information about files 15 | ©2023 Trend Micro Inc. Overview of Electron framework • ASAR archive 16 | ©2023 Trend Micro Inc. Overview of Electron framework • ASAR archive − electron-test-1.0.0-mac.zip\electron-test.app\Contents\Resources\app.asar − electron-test-1.0.0.dmg\electron-test 1.0.0\electron- test.app\Contents\Resources\app.asar − electron-test_1.0.0_amd64.snap\resources\app.asar − electron-test Setup 1.0.0.exe\$PLUGINSDIR\app-64.7z\resources\app.asar 17 | ©2023 Trend Micro Inc. Overview of Electron framework • Tools for viewing/extracting ASAR archive contents − npx asar extract app.asar − npx asar extract-file app.asar − 7-zip plugin − winasar Methods of abusing Electron- based applications 19 | ©2023 Trend Micro Inc. Methods of abusing Electron-based applications • Exploiting vulnerabilities − BlackHat USA 2022: ElectroVolt – Pwning Popular Desktop apps while uncovering new attack surface on Electron • Node integration / context isolation / sandboxing • Visual Studio Code bypassing restricted mode (CVE-2021-43908) • Discord RCE (uses CVE-2021-21220 to get RCE) • Local File Read in MS Teams (uses CVE-2021-44165) • Element Desktop RCE (CVE-2022-23597) • CVE-2021-39184 (allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file) • CVE-2022-29247 (Enabling Node Integration in SubFrames from compromised Renderer) 20 | ©2023 Trend Micro Inc. Methods of abusing Electron-based applications • Exploiting vulnerabilities − CVE-2021-21220 had been used in-the-wild by threat actors • Vulnerability in Chromium prior to 89.0.4389.128 • Insufficient validation of untrusted input in V8 for x86_64 • the exploit code works when it is rendered in a non-sandboxed window 21 | ©2023 Trend Micro Inc. Methods of abusing Electron-based applications • Patching existing application − had been used in-the-wild by threat actors − Replacing existing app.asar archive based on archive file size 22 | ©2023 Trend Micro Inc. Methods of abusing Electron-based applications • Patching existing application − Searching strings in app.asar archive and replacing them Selected APT cases 24 | ©2023 Trend Micro Inc. Selected APT cases • Iron Tiger − MiMi secure chat application • Unclassified actor − Comm100 & LiveHelp100 customer engagement platforms • Water Labbu − MeiQia live chat 25 | ©2023 Trend Micro Inc. MiMi secure chat application • MiMi chat, a multiplatform chat application In Chinese language mì mì (秘密) means “secret” Trojanized versions: • Nov. 2021: Windows • May 2022: Mac OS https://chinese.yabla.com/chinese-english-pinyin-dictionary.php?define=%20%E7%A7%98%E5%AF%86 26 | ©2023 Trend Micro Inc. MiMi secure chat application • Desktop chat application − electron-main.js file modified to download the malicious payload 27 | ©2023 Trend Micro Inc. MiMi secure chat application • electron-main.js contains code obfuscated with Dean Edwards’ JS packer 28 | ©2023 Trend Micro Inc. MiMi secure chat application • Dean Edwards’ JS packer 29 | ©2023 Trend Micro Inc. MiMi secure chat application • HyperBro downloader 30 | ©2023 Trend Micro Inc. MiMi secure chat application • rshell downloader 31 | ©2023 Trend Micro Inc. MiMi secure chat application • We retrieved clean (left) and malicious (right) installer • The modification time interval between both versions was very short (1h30) 32 | ©2023 Trend Micro Inc. MiMi secure chat application • Security warnings (unsigned installer, unverified developer) 33 | ©2023 Trend Micro Inc. MiMi secure chat application • We found interesting attackers’ scripts in our telemetry • Script.js is a custom Javascript password grabber • is an authentication portal for dev tool • Attacker might have used credentials stolen this way to access developer’s build environment connects malicious domain. GET /script.js developer POST /script.php 34 | ©2023 Trend Micro Inc. Comm100 & LiveHelp100 customer engagement platforms • Based on our telemetry, actor behind the campaign compromised the web application since at least February 2022 • Client application downloading backdoor at least since August 2022 • Noticed around the end of September 2022 • Observed activity until end of October 2022 35 | ©2023 Trend Micro Inc. Comm100 & LiveHelp100 customer engagement platforms Trojanized Electron app JavaScript backdoor Legitimage EXE file Drops 1st stage2nd stage Modules Update package Loads Decryptor Sideloads Decrypts & loads Downloads & loads Downloads & runs 36 | ©2023 Trend Micro Inc. Comm100 & LiveHelp100 customer engagement platforms • Installer.exe\$PLUGINSDIR\app-32\resources\app\app.asar\main.js 37 | ©2023 Trend Micro Inc. Comm100 & LiveHelp100 customer engagement platforms • /livehelp/collect returns obfuscated JavaScript code • Backdoor function executed by trojanized application • Collection of OS information 38 | ©2023 Trend Micro Inc. Comm100 & LiveHelp100 customer engagement platforms • Backdoor function 39 | ©2023 Trend Micro Inc. Comm100 & LiveHelp100 customer engagement platforms • Second stage script from /livehelp/init • Responsible for − additional trojanizing/modifying the original application and dropping next stage malware − dropping additional malicious files 40 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application • Discovery − Found Cobalt Strike sample associated with campaign responsible for stealing cryptocurrency − The sample added a persistence registry key to load exploit from an online code repository − Repository also contained files designed to target Meiqia (美洽) application 41 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application • CVE-2021-21220 (a vulnerability of Chromium before 89.0.4389.128) 42 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application • Infection vector − threat actor likely sent the exploit through the live chat box − weaponized HTML files containing a screenshot which looks like a withdrawal confirmation of crypto funds 43 | ©2023 Trend Micro Inc. • Some old versions of the MeiQia(美洽) application − open external links inside the MeiQia(美洽) application (loadURL) − render the webpage without sandboxing (from Electron 20, the sandbox is enabled for renderer processes without any further configuration) MeiQia(美洽) live chat application // 为了安全考虑,所有链接都通过外部浏览器打开 // For security reasons, all links are opened through external browsers 44 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application Threat actor Targeted Electron app Cobalt strike Batch commands Code repo Delivery server Sends malicious link Clicking on malicious link Loading exploit Exploit executes shellcode Runs Patch electron app Delivers JS payload 45 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application • Batch/ps1 scripts patch MeiQia app − downloading already patched app.asar archive and replacing it − running a patcher script • Patcher script changes .\modules\create-window.js inside app.asar archive • Modifications include − Disabling auto updates − Setting fixed window size − Replacing the default URL (https://app.meiqia.com) with a malicious one − Embedding additional JavaScripts to be executed within MeiQia application context 46 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application − Replaces default URL − Modifies function “new-window” which injects additional scripts 47 | ©2023 Trend Micro Inc. MeiQia(美洽) live chat application • Script to grab credentials and steal cookies Conclusion Conclusion 49 | ©2023 Trend Micro Inc. Takeaways • Electron applications are usually “big” projects, consist of many files, which may be modified by threat actors • App.asar archives contain even more files, which may hide malicious payload • It is important to know where to look for possible malicious modifications • Supply chain attacks defeat even cautious targets • Running unsigned installer displays warnings on both Windows and MacOS, users likely used to ignore them 50 | ©2023 Trend Micro Inc. Conclusion • Advanced threat actors with strong technical capabilities • Patched Electron applications serve as downloaders/droppers to load additional native malware • Custom malware toolkits working on multiple platforms • The motivation of first two actors is espionage, motivation of Water Labbu is financial 51 | ©2023 Trend Micro Inc. References • Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (blogpost, Aug 12th, 2022) • How Water Labbu Exploits Electron-Based Applications (blogpost, Oct 5th, 2022) • Probing Weaponized Chat Applications Abused in Supply-Chain Attacks (blogpost, Dec 14th, 2022) https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html Abusing Electron-based applications in targeted attacks Slide Number 2 Slide Number 3 Slide Number 4 Slide Number 5 Slide Number 6 Slide Number 7 Slide Number 8 Slide Number 9 Slide Number 10 Slide Number 11 Slide Number 12 Slide Number 13 Slide Number 14 Slide Number 15 Slide Number 16 Slide Number 17 Slide Number 18 Slide Number 19 Slide Number 20 Slide Number 21 Slide Number 22 Slide Number 23 Slide Number 24 Slide Number 25 Slide Number 26 Slide Number 27 Slide Number 28 Slide Number 29 Slide Number 30 Slide Number 31 Slide Number 32 Slide Number 33 Slide Number 34 Slide Number 35 Slide Number 36 Slide Number 37 Slide Number 38 Slide Number 39 Slide Number 40 Slide Number 41 Slide Number 42 Slide Number 43 Slide Number 44 Slide Number 45 Slide Number 46 Slide Number 47 Slide Number 48 Slide Number 49 Slide Number 50 Slide Number 51