Kaspersky Lab researchers have uncovered cyber attacks that were organized using a new malware that uses zero-day vulnerability in the desktop version of the Telegram application. Vulnerability was used to insert a multipurpose malware, which, depending on the computer, can be used either as a “backdoor” malware or as a tool for activating mining software. According to the research, the vulnerability has been actively used since March 2017 for the purpose of mining cryptoworks, including Monero, Zcash and many others.
Correspondence services have long been an inseparable part of our online lives and are designed to make it easier for us to keep in touch with friends and family. However, they can also significantly complicate the situation if a cyber attack occurs. Last month, Kaspersky Lab released a research report on the advanced mobile malware – Skygofree Trojan, which has the ability to steal messages from WhatsApp. The latest research shows that the experts were able to detect attacks by using a new, so far unknown vulnerability in the desktop version of another popular correspondence service.
According to the study, zero-day vulnerability in the Telegram application is based on the right-to-left override method commonly used for encoding the right-to-left language (such as Arabic or Hebrew) or, can use malware creators to get users to download some malicious file from the Internet to the picture.
Attackers used a hidden Unicode character in the filename, which has the ability to turn the order of letters into words, and thus changed the name of the file itself. As a final result, users removed the hidden malware that would then be installed on their computers. Kaspersky Lab reported vulnerability to “Telegram” service and from the moment of publishing, zero-day vulnerability was no longer noticed in their products.
During the analysis, Kaspersky Lab experts have identified several scenarios that threaten threats can exploit zero-day vulnerability. The vulnerability was originally used to insert malware for mining, which can be extremely dangerous to users. Using the computer capacity of victims, cyber criminals created different kinds of crypts, including “Monero”, “Zcash”, “Fantomcoin” and others. Moreover, during the analysis of the threat actor server, Kaspersky Lab researchers discovered archives containing the local cache “Telegram” service, which was stolen from the victims.
As the second step after a successful exploitation of vulnerabilities, the “backdoor” malware who used the application programming interface (API) “Telegram” service as a command and control protocol was installed, which provided hackers with remote access to the victim’s computer. After installation, he would begin to work in a silent mode, which enabled the threat actor to remain unnoticed in the network and perform various commands, including further installing spyware viruses. The artifacts found during the survey indicate the Russian origin of cyber criminals.
“The popularity of the correspondence service is extremely high and it is very important for developers to provide adequate protection to their users, so that they do not become the light targets of cyber criminals. We have uncovered several scenarios for using this zero-day vulnerability, which, in addition to common malware and spyware viruses, has also been used to import mining software, which has become the global trend we’ve seen throughout the past year. Moreover, we believe that there were other ways to exploit this vulnerability on a zero day, “said Alexey Firsh, a malware analyst and member of the targeted attacks at Kaspersky Lab.
Kaspersky Lab products detect and block the ability to use this newly discovered vulnerability. To protect your computer from any infection, Kaspersky Lab recommends the following:
- Do not download or open unknown files from unsafe sources from the Internet;
- Try to avoid sharing any sensitive personal information in correspondence applications;
- Install a reliable security solution, such as Kaspersky Internet Security or Kaspersky Free, which detects and protects users against all possible threats, including malicious software for mining.
You can find more about the uncovered zero-day vulnerability, as well as technical details, in the text posted on the Securelist.com blog.