Automatically scan the file system to identify Electron applications vulnerable to ASAR tampering.
Malware Development Course Syllabus
Offensive Phishing Operations Course Syllabus
Ransomware Internals, Simulation and Detection Course Syllabus
ASAR tampering (referenced in MITRE ATT&CK technique T1218.015) refers to modifying an Electron application's packaged source code files inside the .asar archive to introduce malicious code or alter existing functionality. When an Electron application does not enforce integrity checks or signature validation, attackers can replace or modify its ASAR contents to gain persistence, execute arbitrary JavaScript, or hijack the application's normal behavior.
Using ElectronVulnScanner, one can enumerate installed Electron applications, detect associated ASAR archives, and identify those with disabled code integrity protection. An example of running ElectronVulnScanner.exe is demonstrated in the image below:
Once a vulnerable Electron application is identified, one can test for JavaScript code injection by extracting its .asar file, if present (some applications delete the .asar file after installation and unpack its contents to disk). To do this, AsarEdit can be invoked with the /u command to unpack a given .asar archive. Below is the usage for AsarEdit.exe:
.\AsarEdit.exe /?
Usage:
AsarEdit.exe /u <input.asar> <output_dir>
AsarEdit.exe /p <input_dir> <output.asar>
AsarEdit.exe /v <input.asar>
Description:
Packs, unpacks, and verifies Electron ASAR archive files.
Commands:
/u <input.asar> <output_dir> Extract ASAR archive to directory
/p <input_dir> <output.asar> Create ASAR archive from directory
/v <input.asar> Verify ASAR integrity (hash & blocks)
Examples:
AsarEdit.exe /u .\app.asar extracted
AsarEdit.exe /p .\extracted app.new.asar
AsarEdit.exe /v .\app.new.asar
- Running
ElectronVulnScanner.exe, we identified two vulnerable Electron Applications: Discord and VS Code.
- After locating Discord's
core.asarfile, we extracted its content to a directory namedextractedusingAsarEdit.exe /u.
- We then added our SpawnCalcProc.js file, representing our PoC script that spawns a calc process.
- To execute our script, we inserted a one-liner at the beginning of the
initfunction (located at line ~918) in the app\mainScreen.js file to run the exported function fromSpawnCalcProc.js.
- Using
AsarEdit.exe /p, and after backing up the originalcore.asarfile, we repacked ourextracteddirectory into a newcore.asar, which will spawn a calc process whenever theinitfunction is invoked.
- Finally, running the Discord application, we can observe the calc process being spawned successfully:
DiscordDemo.mp4
The following table represents the tested applications using ElectronVulnScanner.exe:
| Application | Vulnerable | Notes |
|---|---|---|
| Discord | Yes | core.asar and app.asar |
| Claude Desktop | No | Code integrity check is enabled |
| VS Code | Yes | app.asar |
| Canva | No | Code integrity check is enabled |
| Slack | No | Was found to be vulnerable to DLL sideloading from a user-writable directory instead |
| Signal Desktop | No | Code integrity check is enabled |
| Cursor | Yes | app.asar |
| Notion | Yes | app.asar |
| Microsoft Teams | No | Microsoft Teams is a WebView2 application and not an Electron Application (since 2023) |
| Github Desktop | Yes | Github Desktop does not have any associated asar files (it's extracted under \resources\app instead) |
Note
For additional potentially vulnerable Electron applications, refer to this list provided in the Loki C2 repository.
