A new piece of malware is conducting attacks using a Zero Day vulnerability in the Telegram Desktop instant messaging app, researchers said.
The vulnerability ended up used to deliver multi-purpose malware, which depending on the computer, can either act as a backdoor or as a tool to deliver mining software, said researchers at Kaspersky Lab. The vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, including Monero and Zcash.
Telegram is a cloud-based mobile and desktop instant messaging app with a focus on security and speed.
Social messaging services are an essential part of connected life, providing an easier way to keep in touch with friends and family. At the same time, they can significantly complicate life if they suffer a cyberattack.
The Telegram Zero Day vulnerability was based on the RLO (right-to-left override) Unicode method, researchers said. It is generally used for coding languages written from right to left, like Arabic or Hebrew; however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.
Attackers used a hidden Unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their computers. Kaspersky Lab reported the vulnerability to Telegram and the flaw has not since been observed in the messenger’s products.
During their analysis, Kaspersky Lab experts found exploitation by threat actors. First, the vulnerability was exploited to deliver mining malware, which can be significantly harmful to users. By using the victim’s PC computing power, cybercriminals have been creating different types of cryptocurrency including Monero, Zcash, Fantomcoin and others. In addition, while analyzing a threat actor’s servers, Kaspersky Lab researchers found archives containing a Telegram local cache that had been stolen from victims.
Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.
The artifacts discovered during the research indicate Russian origins of cybercriminals.
“The popularity of instant messenger services is incredibly high, and it’s extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals,” said Alexey Firsh, malware analyst, targeted attacks research, Kaspersky Lab. “We have found several scenarios of this Zero Day exploitation that, besides general malware and spyware, was used to deliver mining software — such infections have become a global trend that we have seen throughout the last year.”