Scroll Top

Telegram Instant Messaging Contains a Zero Day Malware/Trojan

trojanKaspersky said on its website the Telegram Instant Messaging Software contains a Zero Day Malware/Trojan where users are tricked into downloading malicious software onto their computers and use their processing power to mine currency or serve as a backdoor for attackers to remotely control a machine.

One of the main tasks of the Trojan is to persuade users to run malware. In this case, by Downloading a picture that is embedded with the Malware.

The exploit uses the classic right-to-left override (RLO) attack when a file is sent using a messenger. The technique allows hackers to disguise executables as innocuous files for Word, Excel, PDF and so on.

This particular exploit provides a way to change the direction of written words. It is used for languages such as Hebrew and Arabic. The RLO creates a special invisible character and the string of letters that are displayed in reverse order.

Kapersky’s Example is as follows, “Suppose a cybercriminal creates a malicious file called Trojan.js. As you can see from the JS extension, it’s a JavaScript file, and it might contain any executable code. A cautious user immediately smells a rat and does not run it. But the scammer can rename it — for example, like so: cute_kitten*U+202E*gnp.js.

That would look even worse to a user, but here, U+202E is the Unicode character after which letters and punctuation marks are displayed from right to left. The resulting file name will be shown as follows: cute_kittensj.png. Now the file extension seems to be PNG — it looks like a perfectly normal picture file, but it is really a JavaScript Trojan.

The file-renaming trick using Unicode is not new. It was used to mask malicious e-mail attachments and file downloads almost a decade ago, and many environments are already protected against it. But when Telegram was targeted for the first time, it worked. In other words, Telegram has (or rather, had) the so-called RLO vulnerability, which was what our researchers picked up.”

The vulnerability was detected only in the Telegram Windows client, not in mobile apps. Kaspersky says are actively using it. Additionally, the victims’ operating systems should warn them if they are about to run an executable from an unknown source which ought to set off some alarm bells. but many people click Run without looking at the message.

Once launched, the malware really does shows the picture and the Trojan that may come with different types of payloads is run behind the scenes.

Payload Types

The first payload consists of a hidden crypto miner Payload type one is a hidden miner. The hidden miner slows down the computer and eventually causes the computer to burn out. The second Payload type is a backdoor that allows the cybercriminals to control the computer remotely and have full control of the system.

According to Researchers, “This type of infection can remain hidden for a very long time without the user suspecting a thing.”

Kaspersky says its analysis suggests the cybercriminals are of Russian origin, and the company has offered some tips to protect your PC against attack.  These include not downloading and opening unknown files from untrusted sources, avoiding sharing sensitive personal information in messenger apps and making sure to have reliable antivirus software installed on your machine.


Comments (1)

Comments are closed.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.