Telegram Zero day

Security researchers from Kaspersky revealed a Zero-day vulnerability in Telegram Windows client that abused by attackers in wild for installing malware and cryptocurrency miners. This Telegram Zero day vulnerability was notified to telegram and the vulnerability no longer occurs in Telegram’s products.

What is the Vulnerability?

The vulnerability resides in with how the windows telegram client handles the RLO Unicode character that used to manage with the languages written from left to right “Right to left override”.

With this vulnerability, attackers can send as js file and make the recipient sees an incoming PNG image file instead of a JS file.

According to Alexey Firsh Attackers can sent malware in a message, the JS file renamed as evil.js -> photo_high_re*U+202E*gnp.js and the *U+202E* is the RLO character.

While the file rendered in the extension remains same as .js but rendered in a screen as photo_high_resj.png.

Telegram Zero day Vulnerability Exploitation to install Malware and Miners

Attackers use this vulnerability in wide to take control of the victim’s system, they push downloader and uses the Telegram API as command protocol to control systems.

Researchers said loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Now the cryptomining attacks are in the boom, attackers using it to make money from their victims and all they need to do is running a mining client on victim computer.

Cryptomining attacks and the Cryptocurrency exchange attacks are at it’s peak, in the recent massive attack, the hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov.

Researchers concluded saying it appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017

IoC

MD5

First stage
650DDDE919F9E5B854F8C375D3251C21
C384E62E483896799B38437E53CD9749
FA391BEAAF8B087A332833E618ABC358
52F7B21CCD7B1159908BCAA143E27945
B1760E8581F6745CBFCBE76FBD0ACBFA
A662D942F0E43474984766197288845B

Payloads

B9EEC74CA8B14F899837A6BEB7094F65
46B36F8FF2369E883300F472694BBD4D
10B1301EAB4B4A00E7654ECFA6454B20
CD5C5423EC3D19E864B2AE1C1A9DDBBC
7A3D9C0E2EA27F1B96AEFED2BF8971A4
E89FDDB32D7EC98B3B68AB7681FACCFC
27DDD96A87FBA2C15B5C971BA6EB80C6
844825B1336405DDE728B993C6B52A83
C6A795C27DEC3F5559FD65884457F6F3
89E42CB485D65F71F62BC1B64C6BEC95
0492C336E869A14071B1B0EF613D9899
2CC9ECD5566C921D3876330DFC66FC02
1CE28167436919BD0A8C1F47AB1182C4