Telegram zero-day let hackers spread backdoor and cryptocurrency-mining malware

Attacks first took place in March 2017 and are being carried out by Russian cybercrime gangs, says Kaspersky Lab.
Written by Danny Palmer, Senior Writer

A zero-day vulnerability in Telegram Messenger allowed attackers to spread a new form of malware with abilities ranging from creating a backdoor trojan to mining cryptocurrency.

The attacks take advantage of a previously unknown vulnerability in the Telegram Desktop app for Windows and were spotted being used in the wild by Kaspersky Lab.

Researchers believe the Russian cybercriminal group exploiting the zero-day were the only ones aware of the vulnerability and have been using it to distribute malware since March 2017 -- although it's unknown how long the vulnerability had existed before that date.

The attacks have also been seen to steal Telegram directories from victims, including information about their personal communications and files sent and received.

A vulnerability in the RLO (right-to-left override) Unicode coding method allowed attackers to carry out the attacks. The right-to-left coding method is generally used for coding languages written in that way - such as Arabic and Hebrew - but attackers were able to leverage it in order to alter code.

By using a hidden Unicode character in the file name, attackers are able to reverse the order of the characters and rename the file, disguising the malicious files as something innocent and downloading it onto the computer of victims.

The file extension can be altered and used to trick the user into downloading something completely different to what they think they're receiving.

For example, a user could be led to believe their receiving a .png file, when the file itself is actually a .js file for running javascript and injecting malicious code into the system.

The vulnerability can be used to carry out a variety of attacks against an infected machine. One payload attackers distribute in this way can be used to take remote control of the machine.

See also: Cyberwar: A guide to the frightening future of online conflict

In this instance, a downloader written in .NET and using the Telegram API as the command protocol is able to launch a modified start registry key on the system, allowing the attackers to gain full control.

This backdoor allows for a number of malicious operations, including launching, downloading and deleting files and extracting web browsing history archives.

Researchers note that the commands -- which are implemented in Russian -- look as if they could be used for dropping additional malware, such as keyloggers onto the infected system.

In addition to installing a backdoor onto the system, the attackers are also able to tailor the Telegram malware for mining cryptocurrency -- including Monero, ZCash and Fantomcoin. It's unknown how much has been made from the scheme, but it can prove highly lucrative to cybercriminals.

In this instance, the malicious payload first opens a decoy file in order to lull victims into a false sense of security that nothing suspicious is going on. However, after installation, the cryptocurrency miners run behind the scenes.

If pushed too far, the mining operation could overheat or otherwise damage the machine -- all while the victim is unsure why their fans are working so hard.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software -- such infections have become a global trend that we have seen throughout the last year," said Alexey Firsh, malware analyst at Kaspersky Lab.

Researchers haven't disclosed when the vulnerability was discovered but said that since disclosing it to Telegram, attacks using the exploit haven't been seen in the wild. ZDNet attempted to contact Telegram, but hadn't received a reply at the time of publication.

One way Telegram users can avoid falling victim to these types of attacks is by not downloading untrusted files from unknown sources - and being wary of trusted contacts suddenly attempting to share files without context.


A flaw in Telegram let attackers alter code to distribute malware.

Image: iStock


Editorial standards