Supports almost all operating systems
Supports almost all desktop applications developed based on Electron
All malicious operations are executed by the injected program, those commonly used trusted programs
Bypass of Network Access Control Policy for Applications by Zero Trust Sandbox
Verified that it will not be discovered by the antivirus software below
(Please note that a simple command call has been implemented here, and some behavior based heuristic checks will still prompt , bypass AV is not a key issue to be addressed in this project)
An increasing number of desktop applications are opting for the Electron framework.
Electron provides a method that can be debugged, usually by utilizing Chrome’s inspect function or calling inspect through Node.js. In this project, the implementation of inspect was analyzed, and a method for automatically parasitizing common Electron programs was developed.
By establishing a connection with the Command and Control (C2) server, a simple remote control is achieved.
Due to the widespread trust of most antivirus software in these well-known applications (with digital signatures), executing malicious commands in the program context provides excellent concealment and stability.
For these injected applications, it is necessary to carefully consider the potential legal risks brought by such actions. When users analyze program behavior, they may be surprised to find that the parent process executing malicious behavior comes from the application they trust.
C2 Server Setup
- Deploy a server and obtain a public IP address
- and then exec command:
nc -lvnp 8899
clone this project
injected_app: The electron program you want to inject
c2: set c2_Public IP and c2_netcat Port
node build.js, and then pkg to an execute program
Send to victim, and get electron_shell
Source : KitPloit – PenTest Tools!