A zero-day vulnerability has been discovered within the desktop type for end-to-end encrypted Telegram messaging app which was being exploited within the wild in order to spread malware which mines cryptocurrencies such as Monero as well as also ZCash.
The Telegram vulnerability was uncovered by security researcher Alexey Firsh by Kaspersky Lab last October as well as also affects only the Windows client of Telegram messaging software.
The flaw has actively been exploited within the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs which used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.
Here’s How Telegram Vulnerability Works
The vulnerability resides within the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is actually used for coding languages which are written by right to left, like Arabic or Hebrew.
According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character within the file name which reversed the order of the characters, thus renaming the file itself, as well as also send which to Telegram users.
For example, when an attacker sends a file named “photo_high_re*U+202E*gnp.js” in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.
“As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky says in its press Discharge published today.
Kaspersky Lab reported the vulnerability to Telegram as well as also the company has since patched the vulnerability in its products, as the Russian security firm said: “at the time of publication, the zero-day flaw has not since been observed in messenger’s products.”
Hackers Used Telegram to Infect PCs with Cryptocurrency Miners
During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation within the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, as well as also others.
While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache which had been stolen by victims.
In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan which used the Telegram API as a command as well as also control protocol, allowing hackers to gain remote access to the victim’s computer.
“After installation, which commenced to operate in a silent mode, which allowed the threat actor to remain unnoticed within the network as well as also execute different commands including the further installation of spyware tools,” the firm added.
Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as “all the exploitation cases which [the researchers] detected occurring in Russia,” as well as also a lot of artifacts pointed towards Russian cybercriminals.
The best way to protect yourself by such attacks is actually not to download or open files by unknown or untrusted sources.
The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps as well as also make sure to have a Great antivirus software by reliable company installed on your systems.