Category Archives: LOLBins

Squirrel packages’ manager as a lolbin (a.k.a. many Electron apps are lolbins by default)

Posted on by

A week ago, or so I posted this Twit that refers to Slack’s executables as lolbins… I have already posted about it last year – the Slack’s update.exe is a nice lolbin, because it’s actually a Squirrel packages’ manager in disguise. A side effect of using Electron.

I was wondering if this is a common pattern, and if Slack is the only software producer that relies on this software paradigm. Right… yeah, I know, the paradigm sounds very academic and serious, but it’s just about software development frameworks, file naming, their final placement on the user’s system, their behavior, and in the end… what you get from a command line when you run update.exe /?. Or something along these lines if the software authors relied on the same Electron framework as the one Slack did , and as my Twit shown – it was deemed to be ‘Lolbinish’.

So, before we go any further, here’s is a TL; DR; for you – run this on your (test/targeted) system:

C:\Users>dir /a/b/s update.exe

This will give you a list of potential candidates of programs that may in fact be wrappers of Squirrel packages’ manager.

Once you run the cherry-picked update.exe you will typically get this banner:

Usage: Squirrel.exe command [OPTS]
   Manages Squirrel packages
[...]

– and… yup… you can use it as a Lolbin as described in my Twit and last year’s post:

  • %USERPROFILE%\AppData\Local\<app>\update.exe –processStart “test.exe” (where test.exe must be placed in a app-* subfolder)

You can not only run programs via proxy, but also e.g. create shortcuts:

  • %USERPROFILE%\AppData\Local\<app> \update.exe –createShortcut -l <parameters> e.g.:
    • %USERPROFILE%\AppData\Local\slack\update.exe –createShortcut c:\WINDOWS\system32\mspaint.exe -l Desktop,StartMenu

After googling around, I can confirm that there are more apps placing update.exe on user’s systems, including, but not limited to:

I bet there is more. I bet there will be more in the future, because Electron is a popular framework for the current app ecosystem that wants to deliver to Windows, Linux, OSX at the same time.

When you browse the https://electronjs.org/ web site, you can find references to many applications built using this framework:

  • 1Clipboard
  • Atom
  • Beaker Browser
  • Caret
  • Collectie
  • Discord
  • Figma
  • Flow
  • Ghost
  • GitHub Desktop
  • GitKraken
  • Hyper
  • Insomnia
  • JIBO
  • Kap
  • Kitematic
  • Now Desktop
  • Simplenote
  • Skype
  • Slack
  • Svgsus
  • WebTorrent
  • WordPress.com

Also, in some cases the update.exe doesn’t produce any output if ran w/o any command line (e.g. when you run Discord). In such case you can just blindly try Update.exe –processStart <file_inside_the_app_folder>. I can confirm it still works and launches the program of our choice. Your mileage for other Electron apps may vary.

All in all, not a big deal, but good to know about. Both on a blue and red team side of the puzzle.

Beyond good ol’ Run key, Part 101

Posted on by

This is a bit unusual way of establishing persistence.

We don’t add any Registry entries. We also don’t really drop any malicious executable files, unless we have to (fileless malware could establish a persistence this way).

How?

By leveraging the omnipresent files: unins000.dat and unins000.exe that are dropped by any setup program that is built using the InnoSetup installer.

One can build a small InnoSetup script e.g. like this:

[Setup]
 AppName=test
 AppVersion=1
 DefaultDirName=.
 DefaultGroupName=test
 [Run]
 Filename: "c:\windows\system32\calc.exe"
 [UninstallRun]
 Filename: "c:\windows\system32\notepad.exe"

After installing the .exe, we can collect the unins000.dat and unins000.exe that are generated during this session. They ensure that Notepad is executed when the application is uninstalled. Attacker could simply ‘borrow’ these and place these in a folder where there are already existing files unins000.dat and unins000.exe (typically under c:\Program Files, or c:\Program Files (x86) subfolders).

We need to replace unins000.exe too, because the custom-made unins000.exe files that are dropped by installer may have dependencies that our unins000.dat doesn’t resolve.

Once the user tries to uninstall the program that relies on InnoSetup uninstall process, the unins000.exe will process the content of the unins000.dat and will run the Notepad.

Since the unins000.exe is clean, and only the unins000.dat is really the bad guy here, it is a sort of Lolbin, or Lobinstaller. Security companies are forced to either detect the malicious content inside the .dat file, or rely on behavioral analysis.

Obviously, another trivial persistence method that is related to Uninstallation process, and one I believe I have not discussed before here, and one which is actually not related to InnoSetup per se, is to modify the Uninstall/QuietUninstall strings for the programs installed on the system.

While they typically point to the native uninstallers, there is no problem in replacing them with commands that can run any other program:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<program name>=<string>

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QuietUninstallString\<program name>=<string>

Anytime someone runs the uninstaller, they will run the command of attacker’s choice. Again, the good news is that one needs rights to mod these entries since they are under HKLM key.