Telegram zero-day let hackers spread backdoor and cryptocurrency-mining malware

Kaspersky headquarters in Moscow. While analyzing the servers of malicious actors its experts found archives containing Telegram data which were stolen from victims

Hackers Compromise Millions of Android Devices to Mine Monero

Although the exploit sounds quite ingenious-and it is-this type of attack has been used in email attachments for the past decade, and it's probably a type of vulnerability against which the Telegram developers should have defended in their app.

Kasperksy uncovers Telegram vulnerability that allows malicious crypto-mining Cybersecurity firm Kaspersky Lab has uncovered a vulnerability in the Telegram desktop app which allows the social messaging app to be exploited for mining cryptocurrencies. It is not clear how long the flaw was actually present before the attacking campaign was intimated. This coding is generally implemented for coding languages that are based on languages that read from right to left, such as Hebrew or Arabic.

In addition to hijacking a user's device to mine cryptocurrency, the malware was also created to steal information from its victims such as communication with their correspondents including pictures and files.

Hackers used a hidden unicode character in the file name that reversed the order of the characters, thus renaming the file itself. Attackers discovered that they could leverage the character to trick users by hiding an executable file, since the filename would appear partially or completely in reverse.

In addition, hackers changed the file extension to mislead users into download a malicious file, which they considered to be innocent.

Hackers also infected users' systems with a backdoor that used the Telegram API, which in turn gave attackers remote control access to victims' computers.

During this attack, the hacker can manipulate a malicious.NET to be disguised in such a way that the victim downloads it thinking that the file is innocent. But the app has run into several security flaws since its release. The researchers discovered that the hackers were exploiting the vulnerability to mine for various cryptocurrencies, including Monero, ZCash, Fantomcoin and others. After installation, the malware operated silently, allowing the hackers to stay unnoticed and potentially install spyware tools, Kaspersky Lab claimed.

Researchers at Kaspersky said that attackers would send malware in a message but use this special character to hide it.

"We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software - such infections have become a global trend that we have seen throughout the previous year", said Alexey Firsh, malware analyst at Kaspersky Lab.

Latest News