Stage 1 C2 for backdooring Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system.
Description
At runtime, an Electron application reads JavaScript files, interprets their code and executes them within the Electron process. The animation below demonstrates how the Microsoft Teams Electron application reads a JavaScript file at runtime, which then uses the Node.JS child_process module to execute whoami.exe.Since Electron applications execute JavaScript at runtime, modifying these JavaScript files allows attackers to inject arbitrary Node.js code into the Electron process. By leveraging Node.js and Chromium APIs, JavaScript code can interact with the operating system.
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
Features & Details
- Uses Azure Storage Blobs for C2 channel.
- All C2 messages are AES encrypted with dynamically created AES keys.
- SAS Token to protect C2 storage account.
- Proxy-aware agent.
- Uses Chromium renderer child processes for agent, shellcode execution, and assembly fork-n-run style execution, so inherits proxy-aware capabilities of Chromium.
- Teamserver-less
- Unlike traditional C2's where agents send messages to a Teamserver, there is no Teamserver.
- The GUI client & agents both checkin to the same data-store for commands and output.
- Hidden window and does not show in taskbar after execution, Loki process is ran in background.
- Can stay alive for months calling back until the computer is restarted.
- Robust exception handling in kernel process, if agent child process dies from an exception or bug then kernel spawns a new agent process.
Commands
All agent commands are written in native Node.JS and do not require additional dependecies or library load events. With the exception of the scexec and assembly commands which do a library load on keytar.node and assembly.node.Backdooring Electron Apps and Keeping the real Application Working as Normal
The most straightforward way to use Loki is to replace the files in {ELECTRONAPP}/resources/app/ with the Loki files. This hollows out the app, meaning the app wont function normally -- Loki replaced its functionality.If you really want to keep the Electron application running and have it also deploy Loki in the background all hope is not lost! John Hammond and I figured out a way to keep the real Electron application running. We've added the file you will need to /loki/proxyapp/init.js in this repo.
It is currently setup to work for Cursor, discovered to be vulnerable by John Hammond.
For doing this you will need to:
- Download the Cursor app
- Paste all Loki files except package.json to cursor/resources/app/
- Don't replace the real package.json
- Copy /loki/proxyapp/init.js to cursor/resources/app/
- Modify contents of cursor/resources/app/package.jaon to:
- set "main":"init.js",
- delete "type":"module",
- delete "private":true,
How this works
- With these changes Cursor.exe will load in init.js on click / execution
- init.js reads in packages.json
- init.js changes "main":"init.js", -> "main":"main.js",
- main.js is Loki
- init.js spawns and disowns a new Cursor.exe which points to Loki
- Loki is spawned in the background
- init.js reads in packages.json again
- init.js changes "main":"main.js", -> "main":"./out/main.js",
- ./out/main.js" is the real Cursor application
- init.js spawns and disowns a new Cursor.exe which points to the real Cursor
- Real Cursor app is spawned, visible and operates as normal
- When Cursor is exited by the user:
- init.js catches the exit
- init.js reads in packages.json for a third time
- init.js changes "main":"./out/main.js", -> "main":"init.js",