Attackers were found exploiting a zero-day vulnerability in the Telegram app to make the names and extensions of malicious files appear more legitimate, in hopes that users who received these files in their messages would be more willing to open them.
According to a 13 February blog post from Kaspersky Lab, whose researchers uncovered the threat last October, the culprits are likely Russian, and were leveraging the malware to either remotely take over infected systems or install cryptominers.
“It appears that only Russian cyber-criminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia,” writes Kaspersky researcher and blog author Alexey Firsh. “Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cyber-criminals.”
While Telegram reportedly fixed the issue following Kaspersky’s private disclosure, the exploit was in use since March 2017, Firsh reports.
Specifically, the adversaries were abusing a special Unicode character — expressed as U+202E — that allows coders to display letters and other characters from right to left, for languages such as Arabic and Hebrew. Firsh explains that attackers can, for example, disguise a suspicious-looking .js file as an innocuous .png image by using Unicode’s right-to-left override (RLO) character to reverse a file ending in “…gnp.js” so that it looks like it ends in “…sj.png.”
Message recipients who opened and ran these disguised files were unknowingly commencing an infection chain. In the first of two observed outcomes, the victim’s systems were infected with a .Net-based downloader, which used the Telegram API to receive botnet commands — written in Russian — seemingly for the purpose of deploying backdoors, loggers and other malware tools.
In the second known outcome, the infection chain resulted in the deployment of cryptominers. In one observed attack scenario, the victim was initially infected with a self-extracting archive (SFX) that executed a batch (BAT) file. In addition to a decoy document to ease suspicions, the BAT file opened an Equihash cryptominer program that mined Zcash via the NiceHash cryptocurrency cloud mining marketplace, as well as the taskmgn.exe cryptominer, which used the CryptoNight algorithm to mine Fantomcoin and Monero.
Some versions of the batch script came with extra features, allowing it to disable Windows security features and then log on to a malicious FTP server to download and launch an SFX payload containing yet another miner, as well as a Remote Manipulator System client for remote access.
Another observed cryptominer attack scenario also started with an SFX file, but in this case it yielded a VBScript, which then produced a decoy document and second SFX file with yet another VBScript that launched a CryptoNight miner that appeared to target Monero.