LevelBlue’s GSOC shows how trusted Electron apps can be abused for persistence and to bypass application safelisting by backdooring or hollowing out applications like GitHub Desktop and Microsoft Teams. The report also demonstrates detection guidance for Loki C2 activity and highlights APT27-linked abuse of Electron applications such as Mimi Chat. #Electron #GitHubDesktop #MicrosoftTeams #LokiC2 #APT27 #MimiChat
Keypoints
- Electron applications create a unique attack surface because they combine Chromium and Node.js and often evade traditional EDR scrutiny.
- Threat actors can backdoor Electron apps by modifying files like main.js or app.asar while keeping the application functional.
- The report demonstrates persistence by downloading and executing a Meterpreter payload from a backdoored GitHub Desktop or Teams installation.
- Teams can be hollowed out and replaced with Loki C2 agent code to bypass WDAC application safelisting controls.
- APT27 previously abused an Electron application, Mimi Chat, to compromise Windows and macOS systems.
- Blue team detection focuses on abnormal child processes, file modifications, suspicious network connections, and unexpected file deletions.
- Recommended defenses include installing Electron apps in non-user-writable paths, baselining expected app behavior, and enabling file event monitoring.
MITRE Techniques
- [T1218.015] System Binary Proxy Execution: Electron Applications – Abuse of trusted Electron applications to execute malicious code and bypass safelisting, described as ‘techniques included in the MITRE ATT&CK category T1218.015: Electron Applications’.
- [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious JavaScript was inserted into Electron app files such as main.js and main.bundle.js to download and launch payloads, quoted as ‘we will backdoor the GitHub Desktop installation since it looks like we can easily modify the main.js file’ and ‘backdoor the main.bundle.js file with the same code’.
- [T1105] Ingress Tool Transfer – The staged payload was downloaded from the attacker machine to the victim, quoted as ‘Downloads the Meterpreter executable payload from our Linux machine’.
- [T1055] Process Injection – Electron app code was replaced or hollowed out so the trusted process effectively hosted attacker-controlled logic, described as ‘replacing all of the internal code of that application with our own’ and ‘hollow it out with our agent’.
- [T1106] Native API – Electron’s JavaScript accessed native OS functionality through Electron APIs, described as ‘the call to dialog would resolve to the native MessageBox function on a Windows machine’.
- [T1109] Multi-Stage Channels – The attack used a staged payload and a C2 channel for ongoing control, described as ‘call back on a C2 channel to our attacking machine’ and ‘execute a staged payload’.
- [T1027] Obfuscated Files or Information – The article notes minified JavaScript made payload insertion harder to inspect, quoted as ‘Although the JavaScript code is minified’.
- [T1036] Masquerading – Malicious activity ran under legitimate, trusted application names like Teams and GitHub Desktop, described as ‘hijacks trusted Electron applications’ and ‘safelisted by the WDAC policy’.
Indicators of Compromise
- [IP addresses] C2 and payload hosting for the Meterpreter scenario – 10.0.5.3, 10.0.5.1
- [TCP ports] Payload delivery and command-and-control communications – 80, 4444, and other ports 22, 25, 443 observed during Loki scanning activity
- [File names] Electron app components modified during backdooring – main.js, app.asar, main.bundle.js
- [File names] Electron packaging/resource files used for identification – chrome_100_percent.pak, chrome_200_percent.pak
- [Directories] Application locations and hollowing targets – C:UsersAliceAppData, C:UsersaliceAppDataLocalMicrosoftTeamscurrentresources, C:Users[USERNAME]AppDataRoaming[NAME]
- [Domains] Loki C2 Azure Blob Storage endpoints – *.blob.core.windows.net, blob.core.windows.net
- [Command-line parameters] Process arguments indicating Loki activity – –user-data-dir