Malicious actors are constantly coming up with new ways of exploiting the various cryptocurrencies available to users. Kaspersky Lab researchers just reported a zero-day flaw discovered in the Telegram Desktop app that could be used as an intermediary for hackers wishing to mine Zcash, Fantonmoin, and Monero.
“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service,” the researchers said in their report.
What Is a Right-to-Left Override Attack?
The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.
Apparently, the flaw has been leveraged in active attacks since March, 2017. When successfully exploited, the hackers were able to install a backdoor on compromised hosts via the Telegram API as a command and control protocol, meaning that remote access was granted.
Telegram Zero-Day Exploited in Several Ways
What is more troublesome is that researchers found several scenarios of how the Telegram zero-day could be leveraged. In addition to dropping malware and spyware on infected computers, the flaw was also used to deliver mining software. The researchers also believe that there are more ways to build an attack based on the vulnerability.
For now, only Russian cybercriminals were aware of the flaw, as Kaspersky Lab only detected attacks occurring in Russia. The security firm also discovered evidence pointing directly to Russian hackers.
It’s still not known which versions of the Telegram app were affected by the zero-day flaw. What the researchers are certain about is that its exploitation in Windows clients began in March 2017. Telegram developers have been contacted and informed about the problem, and the vulnerability has been fixed in the corresponding products.
Affected users should update their Telegram apps as soon as possible.