Malware authors have used a zero-day vulnerability in the Windows client for the Telegram instant messaging service to infect users with cryptocurrency mining malware, researchers from Kaspersky Lab plan to reveal today.
The zero-day has been fixed in the meantime, but Kaspersky researcher Alexey Firsh says crooks appear to have used the flaw for months before he discovered it last October.
According to Firsh, the zero-day is in how the Telegram Windows client handles the RLO (right-to-left override) Unicode character. This character is used to switch between RTL to LTR text display.
Firsh says crooks spammed Telegram users with messages containing file attachments. The file names contained the RLO character, which changed text display direction right in the middle of the file's name.
For example, in one campaign crooks sent users a file named "photo_high_re*U+202E*gnp.js", where *U+202E* is the RLO character.
When the file's name was rendered on screen, the last part of the name was flipped and the file appeared as "photo_high_resj.png", like in the image below:
In the campaigns Firsh was able to track down, crooks used the Telegram zero-day to install malware that secretly mined cryptocurrency on users' computers. The crooks focused their efforts on mining Monero, Zcash, and Fantomcoin primarily.
Frish also discovered cases where crooks installed a backdoor trojan (controllable via the Telegram API) and other spyware tools, but in most cases, the malware authors focused on deploying crypto-mining malware.
The zero-day vulnerability is not really that innovative and works based on an old trick, known for at least half a decade, first detailed in a 2013 F-Secure report.
According to Firsh, the zero-day saw limited use and was only exploited by a Russian-based actor.
"It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia," Firsh wrote in a report made available to Bleeping Computer before publication.
"Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals," the expert said.
"We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability," Firsh added. "What we do know is that its exploitation in Windows clients began in March 2017."
UPDATE: The Kaspersy report detailing this zero-day is now live and available here.