Telegram Zero-Day Flaw Used to Spread Backdoor, Crypto Miner

A zero-day flaw in popular encrypted messaging app Telegram has been exploited by hackers to infect the app’s users with a backdoor that allows cybercriminals to mine cryptocurrencies using malware.

The zero-day flaw, based on a Unicode method that uses a right-to-left override (RLO) in coding languages written from right to left like Arabic or Hebrew, has been exploited by hackers to trick unsuspecting victims into downloading malicious files purporting to be photos. The zero-day was discovered by security researchers at Kaskpersky Lab who added the hackers began targeting Telegram Windows users as early as March 2017.

An investigation by researchers soon revealed hackers were exploiting the vulnerability to mine a number of cryptocurrencies including ZCash, Monero and Fantomcoin among others.

“Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer,” researchers wrote. “All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet.”

Further, hackers used Telegram’s API to infect users’ systems with a backdoor, giving attackers remote control access to victims’ computers. The backdoor operated in silent mode once installed, enabling hackers to remain undetected as well as enabling them to install additional spyware on victim’s machines.

Researchers added that while they began noticing the exploit in Windows clients from March 2017, it’s anybody’s guess as to how long and which versions of Telegram’s software were affected. The vulnerability no longer exists after the app’s developers were made aware of the exploit.

Researchers added:

It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.

Image credit: Pixabay.