Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.
This versatility and popularity brought attention of threat actors, as we observed several attacks against Electron-based applications, particularly supply chain ones.
In this presentation, we will look at the Electron framework (what it really is from developer's, end-user's, and defender's point of view) and discuss possible infection vectors – exploiting Chromium vulnerabilities, or trojanizing the Electron applications by replacing/patching the app.asar archive (containing application sources) to embed malicious code.
Then we will follow with analyses of several real-life cases, which we recently researched, and which involved Electron-based applications.
a) a secure chat application (MiMi chat) trojanized by Iron Tiger threat actor, targeting Windows, Linux and MacOS secure chat users. Trojanized chat application becomes downloader of additional native backdoors (HyperBro for Windows, rshell for Linux and MacOS).
c) a live chat application (MeiQia) vulnerable to CVE-2021-21220, then trojanized and exploited by threat actor Water Labbu. Trojanized live chat application becomes downloader of additional malware (custom batch scripts, Cobalt Strike, or system monitoring tool).
At the end, we will talk about targets of these campaigns, as well as the connections to previous campaigns operated by the mentioned threat actors.