If you’ve never heard of Telegram, it’s an instant messaging platform that’s quickly gaining popularity for its emphasis on secure, private chats. In fact, the developers of Telegram are so confident in its security, that they’ve announced multiple hacking contests with six figure bounties. So far, none of the contests have found a winner.
One of the features that makes Telegram so nice to use is the ability to instantly share files with your friends. Pictures, word documents, PDFs, those sorts of things. But what if someone sent you an executable program. Would you run it? Probably not — but what if it looked like a picture, or a word document, or a PDF?
Beginning March 2017, many unsuspecting users fell victim to a vulnerability in how Telegram handled Unicode, specifically the “right-left override” character (or RLO). The RLO character is intended to reverse any text that precedes it. In some applications, the RLO is improperly handled and can cause the characters after the RLO to not be displayed. Telegram, however, displays strings with an RLO character correctly. So what’s the big deal?
It turns out that applying this to filenames can be disastrous. By cleverly naming a file to hide the real extension, it’s possible to trick someone into downloading something that appears harmless. For example, if an attacker wanted to send you a malicious javascript file, they could send you a file named “photo_high_re\U+202Egnp.js” and Telegram would display it as “photo_high_resj.png“.
This exploit was used to install malware such as backdoors and spyware, though some craftier attackers were using Telegram to trick people into running cryptominers. Kaspersky Labs uncovered the vulnerability in October 2017, which means this vulnerability existed for at least 8 months. Kaspersky Labs also noted that this was an increasingly popular exploit for 2017. Kaspersky Labs alleges that the source of the attack was Russian cybercriminals, and that no evidence was found to suggest the exploit was known outside of the Russian cybercriminal community.
Victims of this attack actually would have been somewhat protected if the security confirmations on Windows were still enabled. When executing the file, Windows correctly displays what type of file it is (javascript, exe, etc). However, even for the users that still have this feature enabled, I think it’s fair to say that most people have trained their muscle memory to click “Run” when that popup appears. This serves as a good reminder to always take a moment to verify what you’re doing.
Original article: https://www.csoonline.com/article/3254139/security/hackers-exploit-zero-day-flaw-in-telegram-to-mine-cryptocurrency.html
Telegram: https://telegram.org/
Kaspersky Labs: https://securelist.com/zero-day-vulnerability-in-telegram/83800/
Written by Jesse R.
Like this:
Like Loading...