Telegram 0-Day Exploited for Months to Spread Backdoors & Mining Malware
Attackers exploited a zero-day vulnerability in Telegram Messenger’s Windows client in the wild for months before it was discovered and addressed. While security researchers suggest that the bug has now been fixed, Kaspersky added that criminals had been using the zero-day exploit since March 2017 before it was discovered last October.
The exploit involved classic right-to-left override (RLO) attack when a file is sent using a messenger. The bug exploited how Telegram handles the special nonprinting RLO character (U+202E), which is used to switch between RTL to LTR text display. Attackers discovered that they could leverage the character to trick users by hiding an executable file, since the filename would appear partially or completely in reverse.
The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.
How this Telegram bug worked
Researchers at Kaspersky said that attackers would send malware in a message but use this special character to hide it. A JS file could be renamed as photo_high_re*U+202E*gnp.js, which would display gnp.js part of the string in reverse on Telegram, thus making it appear like an image file.
This zero day was used in different kind of attacks: some tried to take complete control of the victim's computer by using additional files and modules, others would install mining malware on the target system. The attacks have also been used to steal Telegram directories from victims that may contain information about their personal communications and transfered files. The backdoor enabled attackers to carry out varied malicious operations, including extracting web history archives and launching and deleting files.
"It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia," the Russian based security firm said. "Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals."
The firm added that it doesn't have "exact information about how long and which versions of the Telegram products were affected by the vulnerability," however, it no longer works on the popular messaging service. It needs to be said again that users can protect themselves from a number of similar attacks by never opening files from unknown sources - whether it's a PDF or an image file.