Full Report
This Threat Analysis report is part of the “Purple Team Series” in which the LevelBlue Global Security Operations Center (GSOC) provides a technical overview of some of the methods that threat actors are using to compromise their victims.
Analysis Summary
# Tool/Technique: Electron Application Backdooring
## Overview
This technique involves hijacking trusted Electron-based desktop applications (which combine Chromium and Node.js) to execute malicious code. By modifying the internal JavaScript files or resources of a legitimate application, threat actors can achieve persistence and bypass application safelisting/EDR controls by hiding malicious activity under a trusted process.
## Technical Details
- **Type:** Technique / Malware Persistence Method
- **Platform:** Windows, macOS, Linux (Cross-platform)
- **Capabilities:** Persistence, Evasion of application control/EDR, Execution of arbitrary code via Node.js integration.
- **First Seen:** Notably used in 2021-2022 (APT27).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- **T1546 - Event Triggered Execution**
- **TA0005 - Defense Evasion**
- **T1564 - Hide Artifacts**
- **T1204.002 - User Execution: Malicious File**
- **T1071.001 - Application Layer Protocol: Web Protocols**
## Functionality
### Core Capabilities
- **Internal Logic Modification:** Altering the `app.asar` archive or entry-point JavaScript files (e.g., `main.js`) to include malicious logic.
- **Native API Access:** Leverages the built-in Node.js runtime within Electron to interact directly with the operating system, bypassing traditional web sandbox restrictions.
- **Trusted Process Execution:** Malicious functions run within the context of a signed, legitimate binary (e.g., Teams, Slack, or custom apps), making them difficult to distinguish from normal app behavior.
### Advanced Features
- **Hollowing/Replacement:** Completly replacing the application's original JavaScript logic with a C2 (Command and Control) stub while maintaining the original file metadata.
- **Cross-Platform Compatibility:** Because Electron uses web technologies, the same backdooring logic can often be applied to Windows and macOS versions of the same app.
## Indicators of Compromise
- **File Hashes:** (Varies by specific malware; check for unexpected hashes of `app.asar` or `resources/app/` files in common Electron apps).
- **File Names:** `app.asar`, `package.json`, `main.js`.
- **Registry Keys:** N/A (Persistence is typically file-based within the app directory).
- **Network Indicators:** Connections from trusted application processes (e.g., `Teams.exe`) to unknown/suspicious IPs or domains (e.g., `hxxps[:]//remote-c2-server[.]com`).
- **Behavioral Indicators:**
- Electron binaries spawning `cmd.exe` or `powershell.exe`.
- Modification of `.asar` files in `%AppData%` or `Program Files`.
- Unexpected network traffic from a productivity application that occurs while the app is seemingly idle.
## Associated Threat Actors
- **APT27 (Emissary Panda):** Known for backdooring the "Mimi Chat" application to target Windows and macOS users.
## Detection Methods
- **Signature-based detection:** Monitoring for known malicious JavaScript stubs injected into Electron resource files.
- **Behavioral detection:**
- Tracking file integrity changes to `.asar` archives.
- Identifying anomalous child processes (e.g., a chat app launching a shell).
- Monitoring for unusual Node.js module loads (e.g., `child_process`, `fs`, or `net`) from the Electron main process.
- **YARA rules:** Scanning for Node.js-specific C2 patterns within `.asar` files.
## Mitigation Strategies
- **Prevention measures:** Implementation of Application Control/Allowlisting (e.g., Windows Defender Application Control) that validates both the binary and its associated resource files.
- **Hardening recommendations:**
- Ensure Electron apps use "Context Isolation" and "Sandbox" mode.
- Restrict write permissions to the application's installation directory to prevent unauthorized modification of code archives.
- Use code signing for internal scripts and resources where supported.
## Related Tools/Techniques
- **DLL Hijacking:** Similar concept of piggybacking on a trusted loader.
- **Living off the Land (LotL):** Using legal frameworks (Node.js/Electron) for malicious purposes.
- **Asar (Electron Archive Utility):** The tool used to pack and unpack Electron source files during the backdooring process.