Kaspersky said on its website the Telegram Instant Messaging Software contains a Zero Day Malware/Trojan where users are tricked into downloading malicious software onto their computers and use their processing power to mine currency or serve as a backdoor for attackers to remotely control a machine.
One of the main tasks of the Trojan is to persuade users to run malware. In this case, by Downloading a picture that is embedded with the Malware.
The exploit uses the classic right-to-left override (RLO) attack when a file is sent using a messenger. The technique allows hackers to disguise executables as innocuous files for Word, Excel, PDF and so on.
This particular exploit provides a way to change the direction of written words. It is used for languages such as Hebrew and Arabic. The RLO creates a special invisible character and the string of letters that are displayed in reverse order.
The file-renaming trick using Unicode is not new. It was used to mask malicious e-mail attachments and file downloads almost a decade ago, and many environments are already protected against it. But when Telegram was targeted for the first time, it worked. In other words, Telegram has (or rather, had) the so-called RLO vulnerability, which was what our researchers picked up.”
The vulnerability was detected only in the Telegram Windows client, not in mobile apps. Kaspersky says are actively using it. Additionally, the victims’ operating systems should warn them if they are about to run an executable from an unknown source which ought to set off some alarm bells. but many people click Run without looking at the message.
Once launched, the malware really does shows the picture and the Trojan that may come with different types of payloads is run behind the scenes.
The first payload consists of a hidden crypto miner Payload type one is a hidden miner. The hidden miner slows down the computer and eventually causes the computer to burn out. The second Payload type is a backdoor that allows the cybercriminals to control the computer remotely and have full control of the system.
According to Researchers, “This type of infection can remain hidden for a very long time without the user suspecting a thing.”
Kaspersky says its analysis suggests the cybercriminals are of Russian origin, and the company has offered some tips to protect your PC against attack. These include not downloading and opening unknown files from untrusted sources, avoiding sharing sensitive personal information in messenger apps and making sure to have reliable antivirus software installed on your machine.0