Unicode Technique Used to Deliver Cryptomining Malware Through Telegram

It’s just the latest reported vulnerability for the secure messaging application.

Attackers are using the time-tested right-to-left override technique to deliver cryptomining malware through the popular Telegram messaging application, say researchers.

The right-to-left (RLO) technique uses Unicode to hide malicious file names and trick users into executing what appear to be benign files. It is a tactic that enables malware authors to hide the real name of a malicious executable.

The vulnerability was found by Kaspersky Lab in the Telegram’s Windows client in October 2017, according to Alexey Firsh, a security expert at Kaspersky Lab, in a report released Tuesday.

Firsh gave the example of the RLO attack in action. For example, hidden in the file name is Unicode that reverses the order of the characters that follow it. So, for example, the malicious JavaScript executable with the name “gnp.js” becomes what appears to be a benign PNG image file “sj.png”.

In the case of the file used in the Telegram attack the file name is “photo_high_re*U+202E*gnp.js” that displays as “photo_high_resj.png”. The “*U+202E*” is the RLO character to make Telegram display the remaining string “gnp.js” in reverse, researchers said.

“The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file,” Firsh wrote.

When a user clicks on the file within the Messenger client it sees the standard Windows security message warning users to use caution when executing JavaScript files from unknown sources. If the user clicks on “Run”, the malicious file is launched.

The RTL override technique has been used by malware authors for quite some time, with researchers at Mozilla reporting on it as far back as 2009.

It’s not clear what versions of Telegram were affected but the vulnerability was exploited in Windows clients beginning in March 2017, Firsh said. Kaspersky alerted Telegram to the issue and the vulnerability has been mitigated.

Telegram did not return a request for comment for this story.

The second stage in the attacks observed by researchers include exploiting the boom in cryptocurrency values via installing cryptocurrency mining software or possibly robbing a hosted cryptocurrency wallet.

After the user clicks on the obfuscated JavaScript file it opens a self-extracting archive (SFX) of a batch file (BAT) that first disables Windows security features, then launches a decoy image file and next, downloads both the cryptocurrency miners Fantomcoin (for Monero) and Equihash (for Zcash) from an FTP server.

Researchers said other variants of the script exist and contain the miner CryptoNight and tools such as a Remote Manipulator System (RMS) client, similar to remote desktop software TeamViewer. “Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access,” researchers wrote.

The available evidence shows that only Russian cybercriminals knew of the Telegram vulnerability. Additionally, Firsh said research only identified instances of the attack occurring in Russia.

Telegram is the favored messaging platform among the cryptocurrency community.  The company recently announced plans for its own cryptocurrency, with the intention being to leverage Telegram’s 180 million users to push cryptocurrency into the mainstream, as TechCrunch reported.

While Telegram is touted as highly secure, it has experienced other vulnerabilities in the past. Last year, Check Point reported on a vulnerability in the web version of Telegram that would have allowed attackers to gain access to a user’s personal data under certain conditions.

In 2016, researchers disclosed another vulnerability in Telegram they said would give attackers the means to crash users’ devices and run up data charges. Telegram disputed the researchers’ conclusions.

Suggested articles