Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.[1] Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.[2] The Chromium engine is used to display web content and Node.js runs the backend code.[3]
Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.[3] For example, the abuse of teams.exe and chrome.exe may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe).[4]
Adversaries may also execute malicious content by planting malicious JavaScript within Electron applications.[5]
| ID | Name | Description |
|---|---|---|
| C0057 | 3CX Supply Chain Attack |
During the 3CX Supply Chain Attack, AppleJeus leveraged the 3CX application's electron framework to execute its malicious libraries under the official 3CX electron application.[6] |
| S1213 | Lumma Stealer |
Lumma Stealer as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries’ power to plant malicious JavaScript within Electron applications.[8] |
| M1038 | Execution Prevention |
Where possible, enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. For example, do not use Where possible, set Do not disable |
| M1050 | Exploit Protection |
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using trusted binaries to bypass application control. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0025 | Detecting Electron Application Abuse for Proxy Execution | AN0071 |
Abuse of trusted Electron apps (Teams, Slack, Chrome) to spawn child processes or execute payloads via malicious command-line arguments (e.g., --gpu-launcher) and modified app resources (.asar). Behavior chain: suspicious parent process (Electron app) → unusual command-line args → child process creation → optional DLL/network artifacts. |
| AN0072 |
Abuse of Linux Electron binaries by modifying app.asar or config JS files and spawning unexpected child processes (bash, curl, python). |
||
| AN0073 |
Abuse of macOS Electron apps by modifying app.asar bundles and spawning child processes (osascript, curl, sh) from Electron executables. |