Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware

Pierluigi Paganini February 13, 2018

Security researcher Alexey Firsh at Kaspersky Lab last discovered a Telegram zero-day in the desktop Windows version that was exploited in attacks in the wild.

Security researcher Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version of the popular Telegram instant messaging app.

The bad news is that the Telegram zero-day flaw was being exploited by threat actors in the wild to deliver cryptocurrency miners for Monero and ZCash.

According to the expert, hackers have actively exploited the vulnerability since at least March 2017. Attackers tricked victims into downloading cryptocurrency miners or to establish a backdoor.

“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.” reads the analysis of the expert.

The flaw is related to the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for any language that uses a right to left writing mode, like Arabic or Hebrew.

The attackers used a hidden RLO Unicode character in the file name that reversed the order of the characters, in this way the file name could be renamed. In a real attack scenario, then the attackers sent the file to the target recipient.

The crooks craft a malicious code to be sent in a message, let assume it is a JS file that is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js  (— *U+202E* is the RLO character)

The RLO character included in the file name is used by an attacker to display the string gnp.js in reverse masquerading the fact that the file is a js and tricking the victims into believing that it is a harmless .png image.

Telegram zero-day

When the user clicks on the file, Windows displays a security notification if it hasn’t been disabled in the system’s settings.

telegram zero-day

If the user ignores the notification and clicks on ‘Run’, the malicious code executed.

The expert reported the Telegram zero-day to the company that promptly patched the flaw.

“Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.” states the analysis published by Kaspersky.

“During their analysis, Kaspersky Lab experts identified several scenarios of zero-day exploitation in the wild by threat actors.”

The analysis of the servers used by the attackers revealed the presence of archives containing a Telegram’s local cache, this means that threat actors exploited the flaw to steal data from the victims.

In another attack scenario, crooks triggered the flaw to install a malware that leverages the Telegram API as a command and control mechanism.

“Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.” continues the analysis.

According to the researcher, the flaw was known only in the Russia crime community, it was not triggered by other crooks.

To mitigate the attack, download and open files only from trusted senders.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

[adrotate banner=”9″] [adrotate banner=”12″]  

Pierluigi Paganini

(Security Affairs – Telegram Zero-Day, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment