AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron.
Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format. The threat actor in this attack case applied this installer format to the malware. [1]
Case #1
When one runs the malware, the Electron application with the following folder hierarchy is installed and executed.
Figure 1. Hierarchy of the installed Electron projectBecause Electron interacts with the OS via node.js, the actual malicious behaviors are defined in the node.js script, which is packaged inside the .asar file (usually in the app\resources path). Thus, unpacking with npm asar allows the complete code to be viewed.
Figure 2. Installing and unpacking asar
Figure 3. Unpacked asar fileThe malicious behaviors are defined in a.js and the details are given below.
Figure 4. Malicious behaviors defined in a script (a.js)Case #2
Another malware strain disguised as a TeamViewer-related file uploads the collected user information on gofile, a file-sharing service.
Figure 5. Collecting and uploading user informationThe uploaded data includes system information, browser histories, and saved ID and password information.
Figure 6. A part of the uploaded fileGenerally, the NSI script directly executes the malware distributed in the NSIS installer format. Yet because the malware strains in the cases above are additionally passed through the Electron structure, they are difficult to recognize as malware both for detection and for users.
If users wish to use games or utilities, they must use the files provided by official websites.
[IOC Info]
9926e2782d603061b52d88f83d93e7af (TeamViewer.exe)
cfc6e0014b3cc8d4dcaf0d76e2382556 (BetterShaders Setup 1.0.3.exe)
b150afa6b3642ea1da1233b76f7b454e (Software.exe)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Distribution of Infostealer Made With Electron appeared first on ASEC BLOG.
Article Link: Distribution of Infostealer Made With Electron - ASEC BLOG