Hackers are unpredictable and they could come up with millions of ways to attack anything. This time attackers have compromised a non-profit cloud-based instant messaging service Telegram. According to Kaspersky Lab researchers, cyber-criminals have been able to exploit a vulnerability in Telegram to spread cryptocurrency miner to earn cryptocurrencies such as Monero and ZCash. The Telegram “zero day” flaw was used to distribute multipurpose malware, which depending on the device can be used either as a backdoor or as a tool to deliver mining software. First things first, let’s take a look at what is zero day vulnerability.

What is zero day vulnerability?

It is an attack that takes advantage of a security flaw on the same day that the vulnerability becomes generally known. In short, a zero-day attack happens once the vulnerability of software/hardware is exploited and attackers release malware before a coder has an opportunity to patch to fix the vulnerability. It can create problems well before anyone realizes something is wrong.

Telegram is one of the most popular end to end encrypted app used by cryptocurrency enthusiasts.

How Telegram vulnerability works?

The Telegram zero-day flaw was based on the RLO (right-to-left override) Unicode method. It is used to reverse the order of the characters that come after that character in the string. In other words, it is used for coding languages that are written from right to left, like Arabic or Hebrew. This flaw can can also be used by hackers to deceive users into downloading malicious files disguised, for example, as images.
Following are the details of how this vulnerability was exploited in Telegram:
  • Attackers first created one JS file. This file is used mainly to run client side JavaScript  code on a webpage. The name of that file was evil.js.
  • After that, they renamed this evil.js file as photo_high_re*U+202E*gnp.js.
  • Now, as mentioned earlier, this *U+202E* is the right-to-left override unicode method which they used to make Telegram display the remaining string of the file gnp.js in reverse. It means, “gnp” is now displayed in reverse i.e. “png”.
  • So, the name of the file is now “photo_high_resj.png” file. After completing this, attackers didn’t change the actual file extension .js.
  • After that they sent the message to the recipient and recipient saw it as an incoming image file.
When the user clicked on such file, the standard security warning window was shown:
When user clicked on ‘Run’, the malicious file was installed.
Alexey Firsh, Malware analyst, targeted attacks research, Kaspersky Lab said that “The popularity of instant messenger services is incredibly high, and it’s extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals. We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software – such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability.”

 How to protect your PC from any such infection?

  • Users should not download and click unknown files from untrusted sources
  • Do not share any personal, confidential information in instant messengers
  • Install reliable anti-virus.