Telegram Zero-Day Exploited by Crypto-Miners

Written by

Russian cyber-criminals have been exploiting a zero-day flaw in popular comms service Telegram, allowing them to remotely install new malware which could be used as a backdoor or a means to deliver crypto-mining software, according to Kaspersky Lab.

The security vendor claimed that the vulnerability had been actively exploited since March 2017 to help mine crypto-currency including Monero and Zcash.

The zero-day was present in the desktop version of the encrypted comms app. It used a so-called "right-to-left override" (RLO) technique whereby attackers use a hidden Unicode character to reverse the characters in a file name.

Thus, malicious JavaScript file “gnp.js” becomes “sj.png,” tricking users into believing the prepared malware is actually a harmless image file.

The zero-day itself was identified as being exploited to deliver digital currency miners such as CryptoNight and Equihash. This type of malware typically lies hidden on a victim’s machine, silently using up compute power to mine valuable crypto-currency.

Another attack starting with the zero-day exploit installed a backdoor using the Telegram API as C&C protocol, allowing the attackers to gain remote access to the victim’s machine. After installation, the malware operated silently, allowing the hackers to stay unnoticed and potentially install spyware tools, Kaspersky Lab claimed.

“The popularity of instant messenger services is incredibly high, and it’s extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals,” argued the vendor’s malware analyst, Alexey Firsh.

“We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software — such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability.”

Fortunately, the vulnerability has now been closed after Telegram was notified, but Kaspersky Lab urged users not to download or open unknown files from untrusted sources.

What’s hot on Infosecurity Magazine?