The instant messaging service, Telegram, has been one of the most recent targets of malicious hackers, who seek to build a large group of devices that put their power, energy, and megabytes at the service of the involuntary mining of cryptocurrencies such as Zcash and Monero.
According to a report issued by the multinational cybersecurity company, Kaspersky Lab, hackers took advantage of a ‘zero-day’ vulnerability, which consists of a security breach made public but not corrected quickly, thus allowing the attackers exploit it to negatively affect computer programs and electronic devices. This security hole was found in the desktop application of the popular Russian messenger and was used to spread malware that could function as a backdoor or as an unwanted mining software. During the analysis, the Kaspersky Lab experts identified several zero-day exploitation scenarios by free-flowing threat agents. In the first place, the vulnerability was exploited to install extractor (or mining) malware, something that can be very harmful for users. By using the computational power of the victim’s PC, cybercriminals created different types of cryptocurrencies, including Monero, Zcash and Fantomcoin. In addition, when analyzing the servers of a threat actor, the Kaspersky Lab researchers found files that contained a local cache with Telegram storage that had been stolen from the victims.
He goes on to explain that this vulnerability “has been exploited since March 2017,” taking advantage of the Right-to-Left Unicode method, a language coding standard generally used for the Arabic and Hebrew languages, since its scripts are made in this sense. By using a hidden character that reverses the order of the other symbols in the name of a file, users are tricked into downloading and installing malicious programs on their computers.
Then, according to the report, the attackers gain remote access to the victim’s computer and begin to operate “in a hidden manner”, allowing them to execute various commands such as installing spyware or mining software for different types of crypto-currencies. Kaspersky’s investigations indicate that the cybercriminals could be from Russia.
Moreover, the creator of the same name antivirus said that Telegram was not the only vulnerable messaging application. WhatsApp was attacked last month to steal messages from its users, a problem also discovered by the Russian cybersecurity firm.
Kaspersky contacted Telegram to report the vulnerability. Since then, there have been no more reports on the exploitation of it.
Nature of the attack identified as “social engineering”
In one of the channels of the Telegram community, it was explained that this vulnerability was not a true failure of the desktop application, but rather a work of social engineering, emphasizing that “(…) no one can remotely take control of your computer or Telegram unless you open a malicious file. “The statement clarifies that the attack was, in fact,” a .js file hidden in a .png image “, which users must open to run on their computers.
This explanation was seconded by the founder of Telegram, Pavel Durvo, who also warned that antivirus companies should be more careful when issuing these types of reports, “because they have to exaggerate their findings to gain publicity in the mass media.”