Persistence method using Facebook Messenger desktop app

Reason Labs researcher, Shai Alfasi, finds persistence method on the Facebook Messenger desktop app. The vulnerability was fixed on Facebook’s new desktop application version.

Persistence vector via Facebook Messenger desktop app on Microsoft store

Covid-19 has had far-reaching consequences not just for our health, but also for our social lives, our personal lives, and our work lives. It has necessitated physical and social distancing, working from home, and contact and communication mainly through chat applications. We find ourselves spending more of our lives online than ever before, resulting in a marked increase in the use of mobile and desktop chat applications, with some applications seeing a 40% increase since the start of the pandemic. Facebook alone reported a 70% increase in time spent on its apps since the crisis and a 50% increase in messaging.

Recently, Reason Labs researchers discovered a problem in the Facebook Messenger app for Windows, which is available on the Microsoft Store. The app executes code that shouldn’t be executed, resulting in a vulnerability that allows attackers to hijack a call for a resource within the Messenger code in order to run their malware. It is also a persistence threat that gives the attacker undetected access for an extended period of time. The vulnerability was previously unknown until it was discovered and identified by a Reason Labs security review. The version of the desktop Facebook Messenger app, Version 460.16, no longer has this problem and was replaced with Version 480.5. In this article, we dissect and analyze the vulnerability.

The operational usage of persistence
In the offensive cybersecurity kill chain, the usage of a persistence threat is one of the most important steps an attacker needs to take in order to make sure he will not lose a connection with the remote workstation. Most of the persistence methods used on Windows are pretty common and well known such as registry keys, scheduled tasks, auto-start services, and many more.

For a cybersecurity researcher or forensics investigator, it’s pretty easy to find a malicious actor using a persistence method since the common logic for all malware requires only three things:

• Malware needs to communicate.
• Malware needs to run.
• Malware needs to stay hidden.

A second-stage persistence threat is more complex since attackers will try to find a binary that will cause an unwanted call to a process or a DLL that is not existent so they can hijack that call to run a malicious file instead. Anyone who has ever inspected processes with Procmon will have noticed that a lot of programs attempt to load resources that do not exist. There are two reasons for this:

1. The resource is optional and really doesn’t exist.
2. The program does not have the absolute path for the resource and needs to traverse the search order.

By testing the new “Messenger” desktop application, the Reason research team found a strange call to load the Powershell.exe from the Python27 directory. When we saw that, we knew we found something since the location of “Python27” is in the “c:\python27” directory, which is a low-integrity location. This means that every malicious program can access the path without any admin privileges.

We decided to create a reverse shell with msfvenom and a listener with Metasploit just as a POC. Once the reverse shell was created, it was transferred it to the c:\python27 directory and its name was changed to Powershell.exe so we could hijack the call:

We ran our listener on the attacker machine so it would be ready to get the reverse shell connection from the victim machine:

Then we executed the “Messenger” application and got the reverse shell connection:

While the vulnerability discovered by Reason Labs has been patched by Facebook, we must still continue to be vigilant and mindful about the potential for vulnerabilities in other online technologies such as messaging and videoconferencing apps, remote work tools, and more.

via blog.reasonsecurity