Abusing Electron-based applications in targeted attacks
2023-09-09, 12:00–12:30 (Europe/Berlin), Tesla

Electron is a popular framework for creating pseudo-native applications with web technologies like JavaScript, HTML, and CSS. By packaging the application source codes with a particular version of Chromium (front-end part) and Node.js (back-end part), Electron allows to have just one codebase which can be run on different platforms (Windows, MacOS, and Linux).
This versatility and popularity brought attention of threat actors, as we observed several attacks against Electron-based applications, particularly supply chain ones.
In this presentation, we will look at the Electron framework (what it really is from developer's, end-user's, and defender's point of view) and discuss possible infection vectors – exploiting Chromium vulnerabilities, or trojanizing the Electron applications by replacing/patching the app.asar archive (containing application sources) to embed malicious code.
Then we will follow with analyses of several real-life cases, which we recently researched, and which involved Electron-based applications.

These include
a) a secure chat application (MiMi chat) trojanized by Iron Tiger threat actor, targeting Windows, Linux and MacOS secure chat users. Trojanized chat application becomes downloader of additional native backdoors (HyperBro for Windows, rshell for Linux and MacOS).
b) chat-based customer engagement platforms (Comm100 & LiveHelp100) trojanized by a currently unclassified threat actor. Trojanized applications download multi-stage JavaScript payload, which later downloads native multi-stage backdoor & stealer.
c) a live chat application (MeiQia) vulnerable to CVE-2021-21220, then trojanized and exploited by threat actor Water Labbu. Trojanized live chat application becomes downloader of additional malware (custom batch scripts, Cobalt Strike, or system monitoring tool).
We will analyze not only the trojanized JavaScripts, but we will also briefly discuss the interesting native malwares too (custom backdoors, stealers, ...).
At the end, we will talk about targets of these campaigns, as well as the connections to previous campaigns operated by the mentioned threat actors.

Outline of the talk is following:
1) Introduction
2) Overview of ElectronJS framework
a) Structure of ElectronJS application package
b) ASAR archive
c) Creating ElectronJS project
d) Compiling the project for different platforms
3) Methods of abusing Electron-based applications
a) Exploiting vulnerabilities
b) Patching existing application
4) Selected APT cases abusing Electron-based applications
a) MiMi secure chat (Iron Tiger threat actor)
() analysis of HyperBro and rshell backdoors
b) Comm100 & LiveHelp100 customer engagement platforms
) analysis of custom multi-stage backdoor and stealer
c) MeiQia live chat (Water Labbu threat actor)
(*) analysis of custom scripts and delivered payloads
5) Conclusion

Jaromir Horejsi is a Senior Threat Researcher for Trend Micro Research. He specializes in tracking and reverse-engineering threats such as APTs, DDoS botnets, banking Trojans, click fraud, and ransomware that target both Windows and Linux. His work has been presented at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf, and CARO.