Russian security researchers at the Kaspersky Lab have identified a new malware campaign exploiting a zero-day vulnerability in Telegram Messenger, primarily used to spread malware, which mines cryptocurrencies including Monero and ZCash, without the device owner’s knowledge.
The new form of malware involves “the use of a classic right-to-left override (RLO) attack when a user sends files over the messenger service”, according to Kaspersky researcher Alexey Firsh who discovered the Telegram Vulnerability in October 2017.
The flaw has been actively exploited in the wild since at least March 2017. Attackers trick their targets into downloading malicious software onto their PCs, which then serve as a backdoor, allowing the attackers to remotely take over control of the affected machine and use their CPU power to mine for cryptocurrencies.
The vulnerability rests in how the Telegram Windows client handles the RLO Unicode character (U+202E), which is used in coding languages that are written and read from right to left, like Hebrew or Arabic. The U+202E character can be used to mislead the victim; typically when displaying the name and extension of an executable file. Software vulnerable to this kind of attack will display the filename in reverse or not display the full text. This leads to the Telegram user seeing an incoming PNG image file instead of a JavaScript file, and inadvertently downloading malicious payloads disguised as the image.
Kaspersky Labs researched various cases in which the zero-day was exploited. One of which is the attacker taking control of the victim’s system and setting off a series of commands, potentially to launch a “logger that would spy on the victim user”. Another is mining cryptocurrency using the infected device. Rather than performing a straightforward theft, the attacker runs a mining client on the infected computer and then only needs to specify the details of their cryptocurrency wallet in order to start making money from the takeover.
All the exploitation cases that Kaspersky discovered were in Russia. While researching the attacks, the security firm also “discovered a lot of artifacts that pointed to involvement by Russian cybercriminals”.
Kaspersky Labs said they reported the vulnerability to Telegram who has now patched it so that the vulnerability to no longer occurs in Telegram’s products.
The security firm recommends that users do not ever download or open files from unknown or untrusted sources, nor should they share sensitive personal information in messaging apps. Finally, they recommend installing a good antivirus software from a trusted company on all systems, in particular PCs.