A zero-day vulnerability has been identified in the desktop version of the end-to-end encrypted messaging application Telegram, specifically targeting the Windows client. This vulnerability has been actively exploited by cybercriminals to distribute malware designed to mine cryptocurrencies such as Monero and ZCash.
This security flaw was uncovered by Alexey Firsh, a researcher from Kaspersky Lab, last October. The exploit has been in circulation since at least March 2017, allowing attackers to trick users into downloading malicious software that utilizes their system’s CPU for mining cryptocurrencies or serves as a remote access backdoor.
The underlying issue stems from how the Telegram Windows client processes the Right-to-Left Override (RLO) Unicode character (U+202E), commonly used in languages such as Arabic and Hebrew. Kaspersky Lab reports that malware creators have ingeniously exploited this character by embedding it in file names to reverse the order of the characters. As a result, files sent to users may appear benign, such as a PNG image, while actually being a JavaScript file capable of executing harmful actions.
When an attacker sends a file named something like “photo_high_reU+202Egnp.js,” the last portion of the name appears flipped on the recipient’s screen. Consequently, users may be misled into downloading malware masquerading as innocuous image files.
Kaspersky emphasized the dire consequences of this vulnerability, noting that unsuspecting users often unwittingly installed hidden malware on their devices after downloading these disguised files. The firm promptly notified Telegram, which has since patched the vulnerability, highlighting that they have not observed any further exploitation in their products since the fix.
During the investigation, Kaspersky researchers discovered various scenarios in which this zero-day vulnerability was exploited. Predominantly, it was leveraged to deploy cryptocurrency mining malware that commandeered victims’ processing power to mine various cryptocurrencies. Additionally, Kaspersky analyzed hacker servers and found archives of Telegram’s local cache obtained from compromised users.
Moreover, cybercriminals utilized the exploit to install a backdoor trojan leveraging the Telegram API for command and control communications, enabling remote access to infected machines. Once operational, these trojans executed commands in stealth mode, allowing attackers to remain undetected while potentially installing additional spyware.
Researchers believe the exploitation of this zero-day flaw has been primarily associated with Russian cybercriminals, given that all identified cases occurred within the country and showed clear indications toward Russian hacking groups. To mitigate such risks, experts advise refraining from downloading files from unfamiliar sources, alongside ensuring robust antivirus solutions are in place.
As businesses increasingly rely on messaging applications for communication, maintaining cybersecurity awareness is paramount. Users should remain vigilant, avoid sharing sensitive information through messaging platforms, and practice prudent file management to protect against potential cyber threats. Diverting from these best practices could expose organizations to attacks that leverage similar vulnerabilities, emphasizing the importance of an educated approach to cybersecurity.