IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Flaw in Telegram app could spread malware

Multipurpose malware delivered to desktops to carry out cryptocurrency mining

Security researchers have discovered a zero-day flaw in the Telegram desktop app that could enable hackers to infect systems with malware that can be used either as a backdoor or to mine cryptocurrency.

According to researchers at Kaspersky Labs, the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, mining currencies such as Monero and Zcash.

Researchers said that the Telegram zero-day vulnerability was based on the RLO (right-to-left override) unicode method. It is generally used for coding languages that are written from right to left, like Arabic or Hebrew. Besides that, however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.

Hackers used a hidden unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their systems. Kaspersky Lab said it had reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in the products.

Researchers also found several scenarios of zero-day exploitation in the wild by threat actors.  The vulnerability was exploited to deliver cryptocurrency mining malware to mine several types of cryptocurrency including Monero, Zcash, Fantomcoin and others. While analysing criminals' servers, researchers found archives containing a Telegram local cache that had been stolen from victims.

Kaspersky also said that upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in criminals gaining remote access to the victim's computer. After installation, it started to operate in a silent mode, which allowed hackers to remain unnoticed in the network and execute different commands including the further installation of spyware tools.

Researchers said that artefacts discovered during the research indicate that the malware is Russian in origin.

"The popularity of instant messenger services is incredibly high, and it's extremely important that developers provide proper protection for their users so that they don't become easy targets for criminals," said Alexey Firsh, malware analyst, Targeted Attacks Research at Kaspersky Lab.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability."

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Kaspersky Free review: Effective and lightweight – everything you want from a free antivirus solution
antivirus

Kaspersky Free review: Effective and lightweight – everything you want from a free antivirus solution

8 Jun 2022
Is Kaspersky still safe to use?
cyber security

Is Kaspersky still safe to use?

1 Apr 2022
Germany advises against using Kaspersky software due to hacking risk
cyber security

Germany advises against using Kaspersky software due to hacking risk

16 Mar 2022
The IT Pro Products of the Year 2021: The year’s best hardware and software
Hardware

The IT Pro Products of the Year 2021: The year’s best hardware and software

31 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022