Facebook Messenger App for Windows has a Bug

A new bug with Facebook Messenger for Windows was discovered that lets hackers hijack a call for a resource with the app code to run the malware. The bug was discovered by the researchers of Reason Labs, in the version 460.16 of the Facebook Messenger app.

Vulnerability/Application used for persistence

It was found that the messenger app supplied a strange call to Powershell.exe from the Python27 directory. This directory can be accessed without admin privileges.

Upon that observation, the researchers decided to reverse shell it. The used msfvenom and a listener with Metasploit for this. They created a new payload and changed its name to powershell.exe to hijack the messenger app call.

On doing this, the researchers were able to execute the “Messenger” application and were also able to get a reverse shell connection.

Now, to infect a system, chain persistence is very important. An attacker needs to make sure that the connection is not lost with the target machine.

 

The advantage of persistence is that the malware creator can use the affected system to exploit other systems in the local/same network or remote location.

 

The complexity or how dangerous a malware in context with the persistence method is defined by the hackers based on the privileges of the target machine.

Due to the pandemic situation of Covid-19, people are spending much more time over the Internet than they used to. So, the chances of getting affected have also increased more. Facebook alone reported a 70% increase in time and time with messenger increases by 50%.

 

Recommendations

It is recommended to consider the following best practices:

  • Facebook has released the update for the Facebook Messenger app. The updated version is 480.5. The users are requested to update the application to the latest version.
  • Anyone should avoid downloading any application from any unknown or untrusted source.
  • Always keep your system and the applications updated so that they have latest security patches and hence remain protected.