Telegram Zero-day Bug Exploited for Mining Cryptos

Hackers have exploited zero-day vulnerability in Telegram Messenger's Windows app, which was came to light in last October 2017. Cyber crooks have exploited this zero-day from 2017, but now this has been patched. Kaspersky have notified about this zero-day and published all the technical details about the about bug on security list.

The exploit involved classic right-to-left override (RLO) attack when a file is sent using a messenger. The bug exploited how Telegram handles the special nonprinting RLO character (U+202E), which is used to switch between RTL to LTR text display. Attackers discovered that they could leverage the character to trick users by hiding an executable file, since the filename would appear partially or completely in reverse.

How This Zero-day Bug Works?
According to the researcher, hackers were sending a malicious file in a message which uses a tricky special chars that hide for being malicious. The file that is being send on messenger looks an image file but its actually a JavaScript file which is named as photo_high_re*U+202E*gnp.js, display gnp.js part of the string in reverse on Telegram, thus making it appear like an image file.
Now victims (Users) click on the file (Which looks as an Image) will get the prompt by the windows that informs, file is a JavaScript file. 

Hackers have exploited this zero-day for various purpose as like they can have the full control over the victims computer or they also install mining malware for mining crypto-currencies on target system.
The attacks have also been used to steal Telegram directories from victims that may contain information about their personal communications and transfered files. The backdoor enabled attackers to carry out varied malicious operations, including extracting web history archives and launching and deleting files.

Who had Exploited Telegram Zero-day?
Researchers also posted that, while researching on this zero-day they have found several command that are in Russian language. Researcher point out that Russian may know about this vulnerability have exploit this. Moreover, researcher also found a lot of artifacts that pointed to involvement by Russian cybercriminals.

Kaspersky noted that they don't know how long and which version of the Telegram products were affected by this bug, so they recommend users not to download or open any types of image or pdf files from unknown sources. 
If you like to read full technical details about this zero-day from secure list

Post a Comment

With ❤️ Cyber Kendra