Security researchers from Kaspersky revealed a Zero-day vulnerability in Telegram Windows client that abused by attackers in wild for installing malware and cryptocurrency miners. This Telegram Zero day vulnerability was notified to telegram and the vulnerability no longer occurs in Telegram’s products.
What is the Vulnerability?
The vulnerability resides in with how the windows telegram client handles the RLO Unicode character that used to manage with the languages written from left to right “Right to left override”.
With this vulnerability, attackers can send as js file and make the recipient sees an incoming PNG image file instead of a JS file.
According to Alexey Firsh Attackers can sent malware in a message, the JS file renamed as evil.js -> photo_high_re*U+202E*gnp.js and the *U+202E* is the RLO character.
While the file rendered in the extension remains same as .js but rendered in a screen as photo_high_resj.png.
Telegram Zero day Vulnerability Exploitation to install Malware and Miners
Attackers use this vulnerability in wide to take control of the victim’s system, they push downloader and uses the Telegram API as command protocol to control systems.
Researchers said loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.
Now the cryptomining attacks are in the boom, attackers using it to make money from their victims and all they need to do is running a mining client on victim computer.
Cryptomining attacks and the Cryptocurrency exchange attacks are at it’s peak, in the recent massive attack, the hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov.
Researchers concluded saying it appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia.
We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017
IoC
MD5
First stage 650DDDE919F9E5B854F8C375D3251C21 C384E62E483896799B38437E53CD9749 FA391BEAAF8B087A332833E618ABC358 52F7B21CCD7B1159908BCAA143E27945 B1760E8581F6745CBFCBE76FBD0ACBFA A662D942F0E43474984766197288845B
Payloads
B9EEC74CA8B14F899837A6BEB7094F65 46B36F8FF2369E883300F472694BBD4D 10B1301EAB4B4A00E7654ECFA6454B20 CD5C5423EC3D19E864B2AE1C1A9DDBBC 7A3D9C0E2EA27F1B96AEFED2BF8971A4 E89FDDB32D7EC98B3B68AB7681FACCFC 27DDD96A87FBA2C15B5C971BA6EB80C6 844825B1336405DDE728B993C6B52A83 C6A795C27DEC3F5559FD65884457F6F3 89E42CB485D65F71F62BC1B64C6BEC95 0492C336E869A14071B1B0EF613D9899 2CC9ECD5566C921D3876330DFC66FC02 1CE28167436919BD0A8C1F47AB1182C4
