Attackers are using the time-tested right-to-left override technique to deliver cryptomining malware through the popular Telegram messaging application, say researchers.
The right-to-left (RLO) technique uses Unicode to hide malicious file names and trick users into executing what appear to be benign files. It is a tactic that enables malware authors to hide the real name of a malicious executable.
The vulnerability was found by Kaspersky Lab in the Telegram’s Windows client in October 2017, according to Alexey Firsh, a security expert at Kaspersky Lab, in a report released Tuesday.
In the case of the file used in the Telegram attack the file name is “photo_high_re*U+202E*gnp.js” that displays as “photo_high_resj.png”. The “*U+202E*” is the RLO character to make Telegram display the remaining string “gnp.js” in reverse, researchers said.
“The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file,” Firsh wrote.
The RTL override technique has been used by malware authors for quite some time, with researchers at Mozilla reporting on it as far back as 2009.
It’s not clear what versions of Telegram were affected but the vulnerability was exploited in Windows clients beginning in March 2017, Firsh said. Kaspersky alerted Telegram to the issue and the vulnerability has been mitigated.
Telegram did not return a request for comment for this story.
The second stage in the attacks observed by researchers include exploiting the boom in cryptocurrency values via installing cryptocurrency mining software or possibly robbing a hosted cryptocurrency wallet.
Researchers said other variants of the script exist and contain the miner CryptoNight and tools such as a Remote Manipulator System (RMS) client, similar to remote desktop software TeamViewer. “Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access,” researchers wrote.
The available evidence shows that only Russian cybercriminals knew of the Telegram vulnerability. Additionally, Firsh said research only identified instances of the attack occurring in Russia.
Telegram is the favored messaging platform among the cryptocurrency community. The company recently announced plans for its own cryptocurrency, with the intention being to leverage Telegram’s 180 million users to push cryptocurrency into the mainstream, as TechCrunch reported.
While Telegram is touted as highly secure, it has experienced other vulnerabilities in the past. Last year, Check Point reported on a vulnerability in the web version of Telegram that would have allowed attackers to gain access to a user’s personal data under certain conditions.
In 2016, researchers disclosed another vulnerability in Telegram they said would give attackers the means to crash users’ devices and run up data charges. Telegram disputed the researchers’ conclusions.