Flaw in Telegram app could spread malware

Multipurpose malware delivered to desktops to carry out cryptocurrency mining

Security researchers have discovered a zero-day flaw in the Telegram desktop app that could enable hackers to infect systems with malware that can be used either as a backdoor or to mine cryptocurrency.

According to researchers at Kaspersky Labs, the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, mining currencies such as Monero and Zcash.

Researchers said that the Telegram zero-day vulnerability was based on the RLO (right-to-left override) unicode method. It is generally used for coding languages that are written from right to left, like Arabic or Hebrew. Besides that, however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.

Hackers used a hidden unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their systems. Kaspersky Lab said it had reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in the products.

Advertisement - Article continues below

Researchers also found several scenarios of zero-day exploitation in the wild by threat actors.  The vulnerability was exploited to deliver cryptocurrency mining malware to mine several types of cryptocurrency including Monero, Zcash, Fantomcoin and others. While analysing criminals' servers, researchers found archives containing a Telegram local cache that had been stolen from victims.

Kaspersky also said that upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in criminals gaining remote access to the victim's computer. After installation, it started to operate in a silent mode, which allowed hackers to remain unnoticed in the network and execute different commands including the further installation of spyware tools.

Researchers said that artefacts discovered during the research indicate that the malware is Russian in origin.

"The popularity of instant messenger services is incredibly high, and it's extremely important that developers provide proper protection for their users so that they don't become easy targets for criminals," said Alexey Firsh, malware analyst, Targeted Attacks Research at Kaspersky Lab.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Best antivirus for Windows 10

3 Sep 2019
endpoint security

Kaspersky Endpoint Security for Business Advanced review

1 May 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019