Thursday, May 1, 2025
HomeSecurity NewsTelegram Zero day Flaw Abused by Attackers in Wild to Install Malware...

Telegram Zero day Flaw Abused by Attackers in Wild to Install Malware and Cryptominers

Published on

SIEM as a Service

Follow Us on Google News

Security researchers from Kaspersky revealed a Zero-day vulnerability in Telegram Windows client that abused by attackers in wild for installing malware and cryptocurrency miners. This Telegram Zero day vulnerability was notified to telegram and the vulnerability no longer occurs in Telegram’s products.

What is the Vulnerability?

The vulnerability resides in with how the windows telegram client handles the RLO Unicode character that used to manage with the languages written from left to right “Right to left override”.

With this vulnerability, attackers can send as js file and make the recipient sees an incoming PNG image file instead of a JS file.

- Advertisement - Google News

According to Alexey Firsh Attackers can sent malware in a message, the JS file renamed as evil.js -> photo_high_re*U+202E*gnp.js and the *U+202E* is the RLO character.

While the file rendered in the extension remains same as .js but rendered in a screen as photo_high_resj.png.

Telegram Zero day Vulnerability Exploitation to install Malware and Miners

Attackers use this vulnerability in wide to take control of the victim’s system, they push downloader and uses the Telegram API as command protocol to control systems.

Researchers said loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Now the cryptomining attacks are in the boom, attackers using it to make money from their victims and all they need to do is running a mining client on victim computer.

Cryptomining attacks and the Cryptocurrency exchange attacks are at it’s peak, in the recent massive attack, the hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov.

Researchers concluded saying it appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017

IoC

MD5

First stage
650DDDE919F9E5B854F8C375D3251C21
C384E62E483896799B38437E53CD9749
FA391BEAAF8B087A332833E618ABC358
52F7B21CCD7B1159908BCAA143E27945
B1760E8581F6745CBFCBE76FBD0ACBFA
A662D942F0E43474984766197288845B

Payloads

B9EEC74CA8B14F899837A6BEB7094F65
46B36F8FF2369E883300F472694BBD4D
10B1301EAB4B4A00E7654ECFA6454B20
CD5C5423EC3D19E864B2AE1C1A9DDBBC
7A3D9C0E2EA27F1B96AEFED2BF8971A4
E89FDDB32D7EC98B3B68AB7681FACCFC
27DDD96A87FBA2C15B5C971BA6EB80C6
844825B1336405DDE728B993C6B52A83
C6A795C27DEC3F5559FD65884457F6F3
89E42CB485D65F71F62BC1B64C6BEC95
0492C336E869A14071B1B0EF613D9899
2CC9ECD5566C921D3876330DFC66FC02
1CE28167436919BD0A8C1F47AB1182C4

Latest articles

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

FBI Alerts Public to Scammers Posing as IC3 Officials in Fraud Scheme

The Federal Bureau of Investigation (FBI) has issued a warning regarding an emerging scam...

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have unveiled a new malware process injection technique dubbed "Waiting Thread Hijacking"...

EU’s GDPR Article 7 Poses New Challenges for Businesses To Secure AI-Generated Image Data

As businesses worldwide embrace digital transformation, the European Union’s General Data Protection Regulation (GDPR),...