Description
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)
Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of teams.exe and chrome.exe may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe).(Citation: Electron 6-8)
Adversaries may also execute malicious content by planting malicious JavaScript within Electron applications.(Citation: Electron Security)
Platforms
Mitigations (3)
Exploit ProtectionM1050
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using trusted binaries to bypass application control. Ensure that Electron is updated to the latest version and critical vulnerabilities (such as nodeIntegration bypasses) are patched and cannot be exploited.
Disable or Remove Feature or ProgramM1042
Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries’ power to plant malicious JavaScript within Electron applications.(Ci
Execution PreventionM1038
Where possible, enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. For example, do not use shell.openExternal with untrusted content.
Where possible, set nodeIntegration to false, which disables access to the Node.js function.(Citation: Electron Security 3) By disabling access to the Node.js function, this may limit the abili
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security s... |
References
- Alanna Titterington. (2023, September 14). Security of Electron-based desktop applications. Retrieved March 7, 2024.
- ElectronJS.org. (n.d.). Retrieved March 7, 2024.
- Kosayev, U. (2023, June 15). One Electron to Rule Them All. Retrieved March 7, 2024.
- TOM ABAI. (2023, August 10). There’s a New Stealer Variant in Town, and It’s Using Electron to Stay Fully Undetected. Retrieved March 7, 2024.
- Trend Micro. (2023, June 6). Abusing Electronbased applications in targeted attacks. Retrieved March 7, 2024.
Frequently Asked Questions
What is T1218.015 (Electron Applications)?
T1218.015 is a MITRE ATT&CK technique named 'Electron Applications'. It belongs to the Stealth tactic(s). Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electr...
How can T1218.015 be detected?
Detection of T1218.015 (Electron Applications) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.015?
There are 3 documented mitigations for T1218.015. Key mitigations include: Exploit Protection, Disable or Remove Feature or Program, Execution Prevention.
Which threat groups use T1218.015?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.