Zero-day Telegram vulnerability exploited for cryptomining

Kaspersky Lab disclosed a zero-day vulnerability in Telegram that the security vendor says was abused by Russian cybercriminals in a cryptomining malware campaign.

Kaspersky Lab Tuesday unveiled a zero-day Telegram vulnerability that was exploited not by nation-state hackers or government spy agencies but by cybercriminals engaging in cryptomining.

Kaspersky said it discovered the zero-day vulnerability in Telegram Messenger's desktop client for Windows in October. The Telegram vulnerability, which was already being exploited by threat actors, enables a right-to-left override (RLO) attack when users send files through the messaging app; the RLO attack can be used to reverse the display order of Unicode characters and disguise malicious files.

"We don't have exact information about how long and which versions of the Telegram products were affected by the vulnerability," Alexey Firsh, cyberthreat researcher at Kaspersky, wrote in a blog post. "What we do know is that its exploitation in Windows clients began in March 2017."

Kaspersky said it notified Telegram of the vulnerability, which has been fixed. Firsh said the only exploit activity Kaspersky detected for the Telegram flaw was in Russia, and that "it appears that only Russian cybercriminals were aware of this vulnerability." The cloud-based messaging service has approximately 180 million active users.

What Russia cybercriminals were using the Telegram vulnerability for, however, was different than past activity.

Cryptomining schemes

According to Kaspersky, Russian cybercriminals used the Telegram vulnerability not to spread ransomware but instead to drop cryptomining malware.

"Amid the cryptocurrency boom, cybercriminals are increasingly moving away from 'classic robbery' to a new method of making money from their victims -- namely mining cryptocurrency using the resources of an infected computer," Firsh wrote. "All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet."

Firsh outlined attack scenarios in which a Telegram download contains a self-extracting archive (SFX) that launches either a BAT file or VBScript that contains both a decoy image file, as well as cryptocurrency mining software miners like Equihash and CryptoNight that, in this attack, mine for Monero and Fantomcoin, respectively.

The threat goes beyond cryptomining malware, however. Firsh said attacks that exploit the Telegram vulnerability are designed "to take control of the victim's system, and involves the attacker studying the target system's environment and the installation of additional modules." The downloader, he noted, connects to a malicious FTP server and has commands that could be used to add other pieces of malware such as keyloggers.

In addition, Kaspersky's investigation found the FTP server had stolen Telegram directories from victims' devices, which included executables and utilities for the Telegram Messenger client, as well as encrypted local caches of documents, photos, videos and audio records.

Dig Deeper on Threats and vulnerabilities