Attackers exploited a zero-day vulnerability in Telegram Messenger\’s Windows client during the wild for months prior to being discovered and addressed. While security researchers claim that the bug has recently been fixed, Kaspersky added that criminals were being utilizing the zero-day exploit since March 2017 before it was discovered last October.
The exploit involved classic right-to-left override (RLO) attack every time a file is sent by using a messenger. The bug exploited how Telegram?handles the special nonprinting RLO character (U+202E), which is often used to exchange between RTL to LTR text display. Attackers found out that they are able to leverage the type to trick users by hiding an executable file, since filename would seem partially or completely in reverse.
RelatedRussian Hackers Shown to Have Breached into Several German Ministries
The special nonprinting right-to-left override (RLO) character is utilized to reverse the order on the characters that could come subsequently character while in the string. Inside Unicode character table, it\’s represented as \’U+202E\’; one region of legitimate use is when typing Arabic text. Inside an attack, this character could be used to mislead the victim. It\’s usually used when displaying the name and extension of an executable file: an item of software in danger of this type of attack display the filename incompletely or even in reverse.
How this Telegram bug worked
Researchers at?Kaspersky revealed that attackers would send malware in a very message but use this special character to hide it.?A JS file may just be renamed as photo_high_re*U+202E*gnp.js, which might display gnp.js section of the string backwards on Telegram, thus allowing it to be look like an image file.
This zero day was adopted in several type of attacks: some experimented with take complete control over the victim’s computer using additional files and modules, others would install mining malware within the target system.?The attacks seemed to be accustomed to steal Telegram directories from victims which will contain information regarding their personal communications and transfered files. The backdoor enabled attackers to do varied malicious operations, including extracting web history archives and launching and deleting files.
RelatedUS Considers Extending Kaspersky Ban to Huawei – Also Limits China from Acquiring?Sensitive Technology
“It appears that only Russian cybercriminals were aware of this vulnerability, along with the exploitation cases that people detected occurring in Russia,” the Russian based security firm said. “Also, while conducting a detailed research these attacks we discovered lots of artifacts that pointed to involvement by Russian cybercriminals.”
The firm added who\’s doesn’t have “exact here is how long and which versions of your Telegram products were tormented by the vulnerability,” however, n\’t i longer works on the popular messaging service. It has to be said again that users can look after themselves originating from a quantity of similar attacks by never opening files from unknown sources – whether it’s a PDF or perhaps an image file.