The vulnerability has been exploited since March 2017, according to Kaspersky’s report. Hackers were able to use it to deliver multi-purpose malware by hiding it in a Unicode character within a file name. This reversed the order of the characters and renamed the file itself.
“It is generally used for coding languages that are written from right to left, like Arabic or Hebrew; however, it can also be used by malware creators to mislead users into downloading malicious files disguised, for example, as images,” the report says. “Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in the messenger’s products.”
By using the victim’s PC computing power, hackers created different types of cryptocurrency such as Monero, Zcash, Fantomcoin and others. They also installed a command and control protocol that used the Telegram API, giving them remote access to the victim’s computer. Upon installation, the program operated in silent mode, allowing the threat to remain hidden in the network and install more spyware tools.
Kaspersky says the trail of breadcrumbs from these attacks suggest Russian cybercriminal activity.
“The popularity of instant messenger services is incredibly high, and it’s extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals,” said Alexey Firsh, malware analyst, targeted attacks research for Kaspersky Lab.
Kaspersky discovered mobile malware was stealing WhatsApp messages last month.