AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron.
Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format. The threat actor in this attack case applied this installer format to the malware. [1]
Case #1
When one runs the malware, the Electron application with the following folder hierarchy is installed and executed.
Because Electron interacts with the OS via node.js, the actual malicious behaviors are defined in the node.js script, which is packaged inside the .asar file (usually in the app\resources path). Thus, unpacking with npm asar allows the complete code to be viewed.
The malicious behaviors are defined in a.js and the details are given below.
Case #2
Another malware strain disguised as a TeamViewer-related file uploads the collected user information on gofile, a file-sharing service.
The uploaded data includes system information, browser histories, and saved ID and password information.
Generally, the NSI script directly executes the malware distributed in the NSIS installer format. Yet because the malware strains in the cases above are additionally passed through the Electron structure, they are difficult to recognize as malware both for detection and for users.
If users wish to use games or utilities, they must use the files provided by official websites.
[IOC Info]
9926e2782d603061b52d88f83d93e7af (TeamViewer.exe)
cfc6e0014b3cc8d4dcaf0d76e2382556 (BetterShaders Setup 1.0.3.exe)
b150afa6b3642ea1da1233b76f7b454e (Software.exe)
