Flaw in Telegram app could spread malware

Multipurpose malware delivered to desktops to carry out cryptocurrency mining

Security researchers have discovered a zero-day flaw in the Telegram desktop app that could enable hackers to infect systems with malware that can be used either as a backdoor or to mine cryptocurrency.

According to researchers at Kaspersky Labs, the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, mining currencies such as Monero and Zcash.

Researchers said that the Telegram zero-day vulnerability was based on the RLO (right-to-left override) unicode method. It is generally used for coding languages that are written from right to left, like Arabic or Hebrew. Besides that, however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.

Hackers used a hidden unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their systems. Kaspersky Lab said it had reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in the products.

Researchers also found several scenarios of zero-day exploitation in the wild by threat actors.  The vulnerability was exploited to deliver cryptocurrency mining malware to mine several types of cryptocurrency including Monero, Zcash, Fantomcoin and others. While analysing criminals' servers, researchers found archives containing a Telegram local cache that had been stolen from victims.

Kaspersky also said that upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in criminals gaining remote access to the victim's computer. After installation, it started to operate in a silent mode, which allowed hackers to remain unnoticed in the network and execute different commands including the further installation of spyware tools.

Researchers said that artefacts discovered during the research indicate that the malware is Russian in origin.

"The popularity of instant messenger services is incredibly high, and it's extremely important that developers provide proper protection for their users so that they don't become easy targets for criminals," said Alexey Firsh, malware analyst, Targeted Attacks Research at Kaspersky Lab.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Kaspersky Internet Security review: Powerful, highly configurable protection
antivirus

Kaspersky Internet Security review: Powerful, highly configurable protection

19 Oct 2021
Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Kaspersky Internet Security review: Perfect for power users
antivirus

Kaspersky Internet Security review: Perfect for power users

27 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021