Flaw in Telegram app could spread malware

Multipurpose malware delivered to desktops to carry out cryptocurrency mining

Security researchers have discovered a zero-day flaw in the Telegram desktop app that could enable hackers to infect systems with malware that can be used either as a backdoor or to mine cryptocurrency.

According to researchers at Kaspersky Labs, the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, mining currencies such as Monero and Zcash.

Advertisement - Article continues below

Researchers said that the Telegram zero-day vulnerability was based on the RLO (right-to-left override) unicode method. It is generally used for coding languages that are written from right to left, like Arabic or Hebrew. Besides that, however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.

Hackers used a hidden unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their systems. Kaspersky Lab said it had reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in the products.

Researchers also found several scenarios of zero-day exploitation in the wild by threat actors.  The vulnerability was exploited to deliver cryptocurrency mining malware to mine several types of cryptocurrency including Monero, Zcash, Fantomcoin and others. While analysing criminals' servers, researchers found archives containing a Telegram local cache that had been stolen from victims.

Kaspersky also said that upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in criminals gaining remote access to the victim's computer. After installation, it started to operate in a silent mode, which allowed hackers to remain unnoticed in the network and execute different commands including the further installation of spyware tools.

Advertisement - Article continues below
Advertisement - Article continues below

Researchers said that artefacts discovered during the research indicate that the malware is Russian in origin.

"The popularity of instant messenger services is incredibly high, and it's extremely important that developers provide proper protection for their users so that they don't become easy targets for criminals," said Alexey Firsh, malware analyst, Targeted Attacks Research at Kaspersky Lab.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020
cyber security

Kaspersky grants healthcare bodies free security software

23 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Most Popular

video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020