Hackers Weaponized Electron Framework to Steal Data Stealthy

Hackers abuse Electron Framework’s cross-platform desktop app capabilities, which are based on web technologies like HTML, JS, and CSS.

The flexibility and widespread adoption of the Electron Framework enables the creation of several malicious programs cross-OS.

Cybersecurity researchers at ASEC recently discovered that hackers have been actively using the Electron Framework to build advanced infostealer malware, which harvests sensitive data from infected systems.

Technical Analysis

Electron apps use Nullsoft Scriptable Install System (NSIS) installers, and the hackers packaged their malware in an NSIS installer, exploiting the Electron’s capabilities.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

The threat actor applied this installation format to the malware in this attack event.

Researchers identified that there are two cases:-

Case 1

Running the malware installs and executes an Electron app with a folder structure.

Electron leverages Node.js for OS interaction, so malicious behaviors exist in the Node script inside the .asar file (typically app\resources path).

Installing and unpacking asar (Source – ASEC)

Unpacking via npm asar exposes the full code, with malicious logic defined in a.js.

Case 2

Another strain poses as TeamViewer, exfiltrating user data (system info, browser histories, credentials) to gofile file-sharing service.

Collecting and uploading user information (Source – ASEC)

While NSI scripts often directly run malware from NSIS installers, these strains leverage Electron’s structure for obfuscation, evading detection by users and security tools.

Besides this, to stay safe, security analysts urged users to obtain games and utilities only from the official websites.

Recommendations

Here below we have mentioned all the recommendations:-

To avoid downloading malware that is disguised as genuine software, only get such programs from official sources.
Make sure you are careful with any Electron framework-based application since they may be hiding malicious code.
Be sure to update your security software and operating system frequently to block new kinds of threats.
You must be suspicious about installation files in the NSIS format because they can execute malicious codes.
Enforce access controls and monitor uploads for potential data leaks.
Users should know about the danger of downloading malware which looks like real applications.
It is important to verify the authenticity of software and its source.

IoCs

9926e2782d603061b52d88f83d93e7af (TeamViewer.exe)
cfc6e0014b3cc8d4dcaf0d76e2382556 (BetterShaders Setup 1.0.3.exe)
b150afa6b3642ea1da1233b76f7b454e (Software.exe)

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.