How did cryptomining malware exploit a Telegram vulnerability?

Kaspersky Lab recently disclosed a zero-day vulnerability in Telegram Messenger that was exploited by hackers with cryptomining malware. What exactly was this vulnerability, and how was it used to mine cryptocurrency?

At the time, it was big news when the virtual currency bitcoin traded briefly around $1,000 near the end of 2013. Over the course of the next 18 months, its value fell back to just under $200. Since then, the value of bitcoin has continued to reach new highs: during 2017, it briefly rocketed to over $19,000, and a single bitcoin is currently valued above $7,000.

Many other cryptocurrencies, such as Monero, Vertcoin and Fantomcoin, have appeared recently, along with hackers eager to steal such valuable virtual assets. A big attraction for hackers when it comes to cryptocurrencies is that they can be mined, as well as stolen.

Mining is the validation of past cryptocurrency transactions, which are recorded in files called blocks, and successful miners are paid in newly created cryptocurrency as a reward. However, mining is intentionally designed to be resource-intensive so that the number of blocks found each day by miners remains constant. This means that miners have to invest large sums of money to use multiple high-performance ASICs, which are expensive to run.

One solution for hackers is to harness the computing power of systems they can compromise and control over the internet. Late in 2017, Kaspersky Lab found cybercriminals doing just that -- using a zero-day vulnerability in Telegram Messenger's desktop client for Windows to spread their cryptomining malware. Telegram is a cloud-based messaging service with approximately 200 million active users.

To trick users into installing the cryptomining malware, the hackers used a right-to-left override attack. This involves misusing the nonprinting right-to-left override character, which reverses the sequence of the characters that come after it.

This character is used legitimately for languages whose writing direction is right-to-left, such as Persian, Arabic, Syriac and Hebrew, but it can be used maliciously to disguise and obfuscate the true name and extension of an executable file. Hackers found that the Telegram Messenger client was vulnerable to this sort of attack, and when they sent malware files via the app, they increased their infection rates.

For example, a malicious JavaScript file called cute_cat_photo*U+202E*gnp.js would be displayed in Telegram as cute_cat_photosj.png, so it appears to be an image file even though it is a JavaScript file. The sequence *U+202E* uses the right-to-left override character so the Telegram software fails to detect the file as an executable. Although the user still receives the standard Windows security notification, they are far more likely to click Run, as what harm could a .png image file of a cute cat do?

Kaspersky Labs said the exploitation of this Telegram vulnerability began in March 2017 in Russia, and that it appears that only Russian cybercriminals were aware of the vulnerability. The cryptomining malware they installed with this exploit contained a self-extracting archive that launched either a BAT file or VBScript containing a decoy image file, as well as cryptocurrency mining software, like Equihash and CryptoNight. This enabled them to use the resources of the infected computers to mine for Monero and Fantomcoin at no cost. The multipurpose malware also stole personal data and installed additional malicious tools.

The power requirements for mining cryptocurrency make enterprise networks a prime target for cryptomining malware attacks. To avoid similar attacks using the right-to-left override character, enterprises should scan for character sets or language settings that are not standard in their organization, as well as for file names that are formatted in non-standard ways.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)