CavalierGPT: The First Comprehensive Infostealers AI Bot - Read More →

Distribution of Infostealer Made With Electron

AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron.

Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format. The threat actor in this attack case applied this installer format to the malware. [1]

Case #1

When one runs the malware, the Electron application with the following folder hierarchy is installed and executed.

Figure 1. Hierarchy of the installed Electron project

Because Electron interacts with the OS via node.js, the actual malicious behaviors are defined in the node.js script, which is packaged inside the .asar file (usually in the app\resources path). Thus, unpacking with npm asar allows the complete code to be viewed.

Figure 2. Installing and unpacking asar
Figure 3. Unpacked asar file

The malicious behaviors are defined in a.js and the details are given below.

Figure 4. Malicious behaviors defined in a script (a.js)

Case #2

Another malware strain disguised as a TeamViewer-related file uploads the collected user information on gofile, a file-sharing service.

Figure 5. Collecting and uploading user information

The uploaded data includes system information, browser histories, and saved ID and password information.

Figure 6. A part of the uploaded file

Generally, the NSI script directly executes the malware distributed in the NSIS installer format. Yet because the malware strains in the cases above are additionally passed through the Electron structure, they are difficult to recognize as malware both for detection and for users.

If users wish to use games or utilities, they must use the files provided by official websites.

[IOC Info]
9926e2782d603061b52d88f83d93e7af (TeamViewer.exe)
cfc6e0014b3cc8d4dcaf0d76e2382556 (BetterShaders Setup 1.0.3.exe)
b150afa6b3642ea1da1233b76f7b454e (Software.exe)

Don’t Stop Here

More To Explore

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise