Security Magic

TL;DR “SystemShock is a malicious DLL loaded by Electron Apps masquarading as production tools. The DLL performs anti-analysis and anti-vm checks and then attempts to download or run additional code. The file also sends data that is likely stealing information and sending screenshots. More about the specifics of the Electron Apps found can be read on Malware Analysis: Fake Google Meet Application .” Background:  Earlier in the week I ran across some fake video conferencing applications, these gave the user the impression that they were installers for tools such as MS Teams, Google Meet, and Zoom. However, none of these were signed by their respective organizations.  A review of the applications showed a complex and layered approach to hide a DLL that performs anti-analysis and anti-VM checks. The DLL also acts as a downloader for additional malware, AMSI bypass tools, and even appears to send out some recon data in t...

TL;DR “Fake Google Meet installer unpacks an Electron app that performs anti-analysis checks and downloads follow-on stealer/downloader payloads (not signed by Google). Check out more information on SystemShock Loader .”  While hunting suspicious Electron applications in VirusTotal, I came across  Google_Meet 1.2.1.exe , which isn't signed by Google. The application is instead signed by " Gucheng County Sili Technology Co., Ltd .", a now revoked certificate signer.  However, VirusTotal has, at the time of this writing, 0 detections for this. So how bad can it be? This is an NSIS installer executable, meaning I can extract the files with 7Zip. Inside the $PLUGINSDIR, is an app-64.7z file, in recent EvilAI and TamperedChef campaigns this usually means this is an Electron based application that is extracted. Quick Note on EvilAI I want to pause right here and suggest that "EvilAI" is more of a campaig...

TL;DR elevate.exe is an open-source UAC helper commonly bundled with Windows installers and Electron builds — usually legitimate, but sometimes recompiled/signed and abused by threat actors (observed in recent EvilAI, TamperedChef, and BaoLoader campaigns). I was reading through an article by TRUESEC , and one thing that struck myself and my peers was the elevate.exe file that exists in the samples that were analyzed. I mentioned to my peer that I see this file in many electron apps I've analyzed this year. We kicked around the idea of how to build detection for this, but we needed to understand what it is. Firstly, as pointed out by TRUESEC, elevate.exe is a tool by Johannes Passing, found on the github repo . The tool can be shipped/packaged with windows executables which, on their own do not elevate privileges, this helper will invoke UAC to elevate privileges of the designated application. Initially, after readin...

Hello World.  Today, while hunting for new suspicious electron based applications I ran across daily time tracker. While hunting, I noticed these trackers appear to talk to app.dailytimetrack[.]com. The applications in question also appear to drop a lot of python files. Take this file for example: dailytimetracker.exe . Well, that's interesting. So, I decided, why not got to dailytimetrack[.]com and download this application and start looking at it. Wouldn't you know it though, to my surprise, the version I got from there wasn't a python based malware, but rather, JS based malware wrapped inside an electron application!  The downloaded installer is NSIS installer, which can be extracted easily enough with 7Zip. This has an app-64.7z file which then unpacks all the electron based app data. At a glance, there isn't to much super intersting about the main.js/preload.js files. Some oddities, like code to not actually close the app when you close it, and a ton of commented...