Telegram is a secure chat application, at least when you want to have a private conversation. But it wasn't really secured in front of hackers.
Kaspersky Lab researchers have discovered attacks with a new type of malware. It uses a zero-day vulnerability in the Telegram desktop application. It has been used to deliver multifunctional malware, which, depending on the computer, can be used as a backdoor or as a way to introduce cryptocurrencies mining software.
According to the research, the vulnerability has been actively exploited since March 2017 for mining various cryptocurrencies, including Monero and Zcash. Zero-day Telegram vulnerability is based on the Unicode RLO ("right-to-left override" method). This is usually used to encode languages whose writing system is from right to left, such as Arabic or Hebrew. Additionally, it can be used by malware creators to confuse users and download malware files disguised in images, for example.
The hackers used a hidden Unicode character in the file name, which reversed character order, renaming the file. Therefore, users downloaded hidden malware that was then installed on their computers.
During the analysis, Kaspersky Lab experts have identified several scenarios of exploitation of zero-day vulnerability by attackers. First of all, the vulnerability has been used to deliver mining malware. By using the computing power of the victim's PC, hackers have mined various types of cryptos, including Monero, Zcash, Fantomcoin and others. Moreover, during an attacker's server analysis, Kaspersky Lab researchers found archives containing a local Telegram cache stolen from the victims.
Secondly, following the successful exploitation of the vulnerability, a backdoor was installed that used the Telegram API as a command and control protocol, hackers thus gaining remote access to the victim's computer. After installation, it began to operate silently, allowing the author to remain hidden on the network and execute various commands, including the installation of spyware tools. The artifacts discovered during the investigation show that hackers are Russian-speaking.