Telegram Zero Day Let Hackers Mine Cryptocurrency, Drop Backdoors
Researchers said Tuesday the app was vulnerable to a right-to-left override attack, something which let attackers trick unsuspecting users into installing malware.
Hackers exploited a zero day in Telegram Messenger's desktop app last summer to mine cryptocurrency and drop backdoors onto affected systems, researchers said Tuesday.
Telegram, which claims to use end-to-end encryption for its secret chats functionality, has drawn the ire of multiple cryptographers over the years. Matthew D. Green, a cryptographer and Assistant Professor of Computer Science at the Johns Hopkins Information Security Institute has called the app’s crypto “not up to reasonable snuff,” likened the app to “a suspension bridge designed by an amateur who never read a book on engineering,” and described it akin to "being stabbed in the eye with a fork."
Alexey Firsh, a researcher with Kaspersky Lab, said Monday he discovered last March the app was vulnerable to something called a right-to-left override attack. In right-to-left override, a/k/a RTLO or RLO attacks, bad actors traditionally leverage Unicode filenames to spoof fake extensions. Attacks can be used to obfuscate the names or files through a special character, U+202e - used in Arabic and Hebrew scripts.
In this case an attacker could send a victim a .JS file on Telegram but make it appear as if it was a .PNG image file. A user would still have to open the file and bypass a Windows security warning to launch the malicious file but that apparently wasn't much of an impediment for some, according to Firsh.
Russian cybercriminals exploited the vulnerability to drop backdoors, loggers, and other malware on systems, according to the researcher. Attackers also managed to deploy mining software to harness machines’ CPU and graphics accelerators and in turn raise cryptocurrency like Monero, Zcash, and Fantomcoin.
An attacker could also exploit the vulnerability to gain persistent control of a victim's system by modifying a machine's startup registry key and copying a malicious executable into one of the directories.
Firsh could only confirm the vulnerability was being exploited in the wild in March 2017. The researcher said it wasn't clear how long it affected the app, which versions of the app were affected, or when it was patched by the company.
“We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products,” a post on the firm's Securelist blog reads.
Judging by the abundance of Russian used in exploitation commands and cases reported via the firm's telemetry systems, Firsh said it appears the vulnerability was mostly exploited in Russia. The app was developed by a Russian entrepreneur, Pavel Durov, and largely used in Russia but it isn't exclusive to that country.
The app, which has 100 million users and is technically based out of Germany, is available in 13 different languages. It's also popular in the U.S., India, Brazil, Italy, Iran, and Uzbekistan.
Durov, for what it's worth, took to his own Telegram channel on Tuesday to downplay Kaspersky Lab's research.
"This kind of vulnerability is based on social engineering. In fact, it was a .js file hidden on a a .png file, this happened thanks to RTL characters. Windows users must click on the Run dialog in order to install the malware. So don't worry, unless you opened a malicius [sic] file, you have always been safe," Durov said.