Flaw in Telegram app could spread malware

Multipurpose malware delivered to desktops to carry out cryptocurrency mining

Security researchers have discovered a zero-day flaw in the Telegram desktop app that could enable hackers to infect systems with malware that can be used either as a backdoor or to mine cryptocurrency.

According to researchers at Kaspersky Labs, the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, mining currencies such as Monero and Zcash.

Researchers said that the Telegram zero-day vulnerability was based on the RLO (right-to-left override) unicode method. It is generally used for coding languages that are written from right to left, like Arabic or Hebrew. Besides that, however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.

Hackers used a hidden unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their systems. Kaspersky Lab said it had reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in the products.

Researchers also found several scenarios of zero-day exploitation in the wild by threat actors.  The vulnerability was exploited to deliver cryptocurrency mining malware to mine several types of cryptocurrency including Monero, Zcash, Fantomcoin and others. While analysing criminals' servers, researchers found archives containing a Telegram local cache that had been stolen from victims.

Kaspersky also said that upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in criminals gaining remote access to the victim's computer. After installation, it started to operate in a silent mode, which allowed hackers to remain unnoticed in the network and execute different commands including the further installation of spyware tools.

Researchers said that artefacts discovered during the research indicate that the malware is Russian in origin.

"The popularity of instant messenger services is incredibly high, and it's extremely important that developers provide proper protection for their users so that they don't become easy targets for criminals," said Alexey Firsh, malware analyst, Targeted Attacks Research at Kaspersky Lab.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021