The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Telegram Zero Day Let Hackers Mine Cryptocurrency, Drop Backdoors



Researchers said Tuesday the app was vulnerable to a right-to-left override attack, something which let attackers trick unsuspecting users into installing malware.

Hackers exploited a zero day in Telegram Messenger's desktop app last summer to mine cryptocurrency and drop backdoors onto affected systems, researchers said Tuesday.

Telegram, which claims to use end-to-end encryption for its secret chats functionality, has drawn the ire of multiple cryptographers over the years. Matthew D. Green, a cryptographer and Assistant Professor of Computer Science at the Johns Hopkins Information Security Institute has called the app’s crypto “not up to reasonable snuff,” likened the app to “a suspension bridge designed by an amateur who never read a book on engineering,” and described it akin to "being stabbed in the eye with a fork."

Alexey Firsh, a researcher with Kaspersky Lab, said Monday he discovered last March the app was vulnerable to something called a right-to-left override attack. In right-to-left override, a/k/a RTLO or RLO attacks, bad actors traditionally leverage Unicode filenames to spoof fake extensions. Attacks can be used to obfuscate the names or files through a special character, U+202e - used in Arabic and Hebrew scripts.

In this case an attacker could send a victim a .JS file on Telegram but make it appear as if it was a .PNG image file. A user would still have to open the file and bypass a Windows security warning to launch the malicious file but that apparently wasn't much of an impediment for some, according to Firsh.

Russian cybercriminals exploited the vulnerability to drop backdoors, loggers, and other malware on systems, according to the researcher. Attackers also managed to deploy mining software to harness machines’ CPU and graphics accelerators and in turn raise cryptocurrency like Monero, Zcash, and Fantomcoin.

An attacker could also exploit the vulnerability to gain persistent control of a victim's system by modifying a machine's startup registry key and copying a malicious executable into one of the directories.

Firsh could only confirm the vulnerability was being exploited in the wild in March 2017. The researcher said it wasn't clear how long it affected the app, which versions of the app were affected, or when it was patched by the company.

“We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products,” a post on the firm's Securelist blog reads.

Judging by the abundance of Russian used in exploitation commands and cases reported via the firm's telemetry systems, Firsh said it appears the vulnerability was mostly exploited in Russia. The app was developed by a Russian entrepreneur, Pavel Durov, and largely used in Russia but it isn't exclusive to that country.

The app, which has 100 million users and is technically based out of Germany, is available in 13 different languages. It's also popular in the U.S., India, Brazil, Italy, Iran, and Uzbekistan.

Durov, for what it's worth, took to his own Telegram channel on Tuesday to downplay Kaspersky Lab's research.

"This kind of vulnerability is based on social engineering. In fact, it was a .js file hidden on a a .png file, this happened thanks to RTL characters. Windows users must click on the Run dialog in order to install the malware. So don't worry, unless you opened a malicius [sic] file, you have always been safe," Durov said.

Chris Brook

INFOGRAPHICS

Don't Get Hooked: How to Recognize and Avoid Phishing Attacks

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.