At the heart of some of the recent cryptocurrency mining hacks is a desktop version of Telegram, a messaging service that has become notoriously known for being the tool of choice for nefarious activities.
Kaspersky Lab, which is a global cybersecurity company that makes products that can detect and block digital threats discovered the relationship between the hacks and Telegram’s desktop app..
On Tuesday, it alerted the crypto space that it had spotted evidence of a vulnerability in the desktop version of Telegram that allowed attackers to install cryptocurrency mining malware on users’ computers.
Here, we’ll discuss these findings.
Zero-Day, many problems?
Called zero-day, this Telegram desktop app was used to trick Telegram users into downloading malicious files, according to Kaspersky. Once the download was completed, the files could be used to deliver cryptocurrency mining software and spyware. Specifically, the installed malware was being used to mine digital currencies like Monero, Zcash, and Fantomcoin.
Kaspersky researchers were even able to find a stolen cache of Telegram data on one of the attackers’ servers.
This is how Kaspersky found the attackers were able to carry out their schemes:
According to the research, the Telegram zero-day vulnerability was based on the RLO (right-to-left override) Unicode method. It is generally used for coding languages that are written from right to left, like Arabic or Hebrew. Besides that, however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.
Attackers used a hidden Unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their computers. Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.
Alexey Firsh, a malware analyst for Kaspersky, stated in the press release regarding this matter that the popularity of instant messenger services is incredibly high. That’s why it’s extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals, Firsh added.
“We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software – such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability.”
But we’re just great!
We told you last month about Telegram wanting to complete an initial coin offering. Then we noted that what it was touting could be setting itself up for huge expectations. Its bold claims included:
- its ability to handle millions of transactions per second
- infinite sharding to prevent congestion, which occurs when a small subset of network nodes validate every single transaction
- instant off-chain transactions and support for billions of users and thousands of decentralized apps
Not everyone is impressed with Telegram, nor its planned ICO, which is thought to be the largest ever with its $2 billion goal. Telegram’s founder Pavel Durov has boasted that it is a highly secure messaging tool, where traffic is encrypted and difficult to intercept.
Bloomberg reported that the positioning helped the service gain popularity among security-concerned users, including French President Emmanuel Macron. Then, there’s the matter of Islamic State terrorists also being enamored with the site, according the financial media outlet.
To protect your PC from any infection, Kaspersky recommends the following:
- Do not download and open unknown files from untrusted sources
- Try to avoid sharing any sensitive personal information in instant messengers
- Install a reliable security solution that detects and protects you from all possible threats