electron_shell: RAT tool by leveraging Electron’s features for command injection

Electron command injection

Electron_shell

An increasing number of desktop applications are opting for the Electron framework.

Electron provides a method that can be debugged, usually by utilizing Chrome’s inspect function or calling inspect through Node.js. In this project, the implementation of inspect was analyzed, and a method for automatically parasitizing common Electron programs was developed.

By establishing a connection with the Command and Control (C2) server, a simple remote control is achieved.

Due to the widespread trust of most antivirus software in these well-known applications (with digital signatures), executing malicious commands in the program context provides excellent concealment and stability.

For these injected applications, it is necessary to carefully consider the potential legal risks brought by such actions. When users analyze program behavior, they may be surprised to find that the parent process executing malicious behavior comes from the application they trust.

Developing a more covert Remote Access Trojan (RAT) tool by leveraging Electron’s features for command injection and combining it with remote control methods.

Features

  • 🌈 Supports almost all operating systems

    • mac
    • linux
    • windows
  • 📦 Supports almost all desktop applications developed based on Electron

  • 🎨 All malicious operations are executed by the injected program, those commonly used trusted programs

  • Bypass of Network Access Control Policy for Applications by Zero Trust Sandbox

  • ⚙️ Verified that it will not be discovered by the antivirus software below

    (Please note that a simple command call has been implemented here, and some behavior-based heuristic checks will still prompt , bypass AV is not a key issue to be addressed in this project)

    • Windows Defender
    • avast
    • 火绒
    • 360
    • 腾讯管家
    • virustotal

Install & Use

Copyright (C) 2023 djerryz