Posted on February 14, 2018 at 4:35 PM

Critical Flaw in Telegram Allows Hackers to Spread Cryptojacking Malware

Russian cybercrime gangs have been exploiting a zero-day flaw in the popular messaging app, Telegram, to spread cryptojacking malware ever since March 2017 according to Kaspersky Lab.

Recent research has revealed that hackers have been exploiting a critical flaw in the popular Telegram Messenger app in order to infect users with a malware that can mine cryptocurrency or even create backdoor trojans.

This campaign was discovered by the cybersecurity firm, Kaspersky Lab as they witnessed attacks which exploited a critical flaw in the Telegram Desktop app. This flaw has only been recently detected once researchers discovered the attack campaign.

According to researchers, it is likely that the hackers were the only ones who knew of the flaw and they have been exploiting the flaw since at least March 2017. It is not clear how long the flaw was actually present before the attacking campaign was intimated.

In addition to hijacking a user’s device to mine cryptocurrency, the malware was also designed to steal information from its victims such as communication with their correspondents including pictures and files.

The hacking technique

The attack campaign was executed by exploiting a flaw in the unique right-to-left-override (RLO)  coding technique. This coding is generally implemented for coding languages that are based on languages that read from right to left, such as Hebrew or Arabic. Attackers exploited this technique to insert their own malicious code.

The hackers were able to reverse the entire character order by using a disguised Unicode character in the coding file name. This technique also enabled them to disguise malicious files and spread the malware to the devices which used the Telegram desktop app.

In addition, hackers changed the file extension to mislead users into download a malicious file, which they considered to be innocent.

More than just cryptojacking

example, the file extension could be changed from .js to .png, which could mislead the user into thinking that they are receiving a png file when in reality they were receiving a javascript code file which is capable of inserting malicious code into their device system.

This flaw can be exploited to spread a variety of different malware code and can, therefore, attack the device in several different ways. For example, a certain attack can also allow the hacker remote access to the infected device.

During this attack, the hacker can manipulate a malicious .NET to be disguised in such a way that the victim downloads it thinking that the file is innocent. However, this file can then allow the hacker to gain full control of the infected device.

The backdoor flaw provides hackers with a unique opportunity to execute several commands on an infected device, including downloading and installing malicious files, viewing browser history, etc.

Interestingly, researchers at Kaspersky Lab have noted that all commands used are in Russian and are written in such a way that more malware attacks are likely to plague previously infected devices.

However, the main concern remains the fact that hackers can easily manipulate the flaw to download cryptocurrency mining malware on infected devices which will hijack device processing power to covertly mine cryptocurrencies such as Fantomcoin, monero, and Cash. It is not yet clear how much hackers have profited from this attack campaign, but it can be a highly lucrative endeavor for criminals which requires relatively low maintenance.

Cryptocurrency mining malware could be dangerous to the victim. If a device runs the malware for an extended period of time, the device could suffer extensive damage due to overheating.

According to a malware analyst from Kaspersky Lab, Alexey Firsh, the firm has discovered that Telegram flaw could be used to spread several malware campaigns, including spyware and ransomware which could be global in its scope.

Kaspersky Lab has not clarified when they did discover the vulnerability, however, they did confirm that they have reported the issue to Telegram and since reporting it, no further exploitations were spotted.

Telegram users have been advised to refrain from downloading any files that they received from an unknown source and to make sure of every file’s context before downloading it.