Using Slack, WhatsApp ( electron apps ) for malware attack
JavaScript has changed the desktop app development. Electron is top framework to build the desktop applications.
We are going to explore and use DLL search order hijacking attack. So for the attack to work the victim needs to have slack installed on his windows system.
If you write an application in windows and you reference an external library, the chances are you need to load the library from a location. A lot of DLL’s exist in windows system32 folder and all the folders for various different applications but most commonly the microsoft API calls and stuff like that you will find them in system32 folder.
So if you load a DLL you should realistically give it a fully qualified path of where you are loading that DLL from into your program. But but but…. developers can be lazy and just give the name of the DLL that they are trying to load and in doing so windows has a default search order . So if you don’t give a fully qualified path of where DLL exists windows is smart enough to have a route to go and try and find it for you and the route they have this search order which is considered safe in windows.
Windows has this route a.k.a safe search mode ( which is enabled by default) .
Interestingly some binaries try and load the DLL’s that don’t even exist anywhere on the system . So slack tries to reference quite a number of DLL’s and quite lazily and therefore it traverses particular safeSearch order so it tries to load a DLL and looks first at the directory from which the application loads and so if you are using slack for windows it starts to look in application folder for slack and that is also a user writeable location
So consider this attack scenario our victim has slack installed on his windows system and he receives a email with malicious attachment or they click a link in email which downloads a file . Basically user is tricked into running some kind of malicious code and that malicious code is designed to drop a DLL into that vulnerable slack application directory . What this will allow is that everytime slack is loaded it’s going to look for this particular DLL and will load it resulting in executing of code everytime slack loads.
SO let’s create a malicious DLL that will simply just load calc. You can easily create a exploit with help of msfvenom ( i will not go in details of exploit)
If we can write to the location ( which we can because it’s writable by any user) . So how we can infect the user , well it’s not uncommon for users to download a doc file from any sources ( specially students when they are desperate to complete assignments) . We can write macros in a doc file that can execute code ( it’s not stealthy but good enough for demonstration. real malware authors can be much much more stealthy)
This is a comment technique malware authors use . The idea is to put the code in comments section of doc file and then later on use macro to perform the malicious task ( in this case writing a DLL to app space). i have base64 encoded the exploit and ( not too stealthy)
Now if we fire slack it will also load calc everytime. It’s like a persistence mechanism . Now in this particular instance it doesn’t do anything malicious obviously because it’s calc but it shows you the potential of what could happen because application doesn’t have any permissions around the folder where it looks for the DLL’s but also it kinds of lazily loads the DLL.
I am responsible, it’s not like i have not disclosed this with slack or whatsapp but whatsapp(facebook ) doesn’t care. For them it’s more of a social engineering attack and in case of slack they already know about the issue and are working towards fixing it .
I also did a quick poll on facebook ( among my friends by no means very accurate) not many actually uses whatsapp desktop app . They prefer whatsapp web ( good !! )
