Hackers have exploited a zero-day flaw in Telegram to infect users with a backdoor that provides cybercriminals with remote control of victims' systems. Cybercriminals also used the vulnerability to instal a malware that allowed them to mine for cryptocurrencies.
The zero-day flaw was based on the right-to-left override (RLO) Unicode method, which is used for coding languages that are written from right to left, such as Arabic or Hebrew. However, RLO can also be used by hackers to trick users into downloading malicious files disguised as photos.
According to security researchers at Kaspersky Lab, who discovered the zero-day flaw and the attacks, the hackers began exploiting the vulnerability, targeting Telegram Windows users in March 2017. The researchers discovered that the hackers were exploiting the vulnerability to mine for various cryptocurrencies, including Monero, ZCash, Fantomcoin and others.
Hackers also infected users' systems with a backdoor that used the Telegram API, which in turn gave attackers remote control access to victims' computers. Once installed, the backdoor operated in silent mode, allowing the hackers to remain undetected and giving them the opportunity to install more spyware tools on victims' systems.
The researchers believe that the attacks are likely the work of Russian hackers.
"It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals," Kaspersky Lab malware analyst Alexey Firsh wrote in a blog.
The researchers were unable to determine which versions of Telegram were affected and for how long. It also remains unknown as to how many Telegram users were targeted by the hackers. However, once the researchers alerted Telegram about the flaw, the vulnerability was fixed.
"The popularity of instant messenger services is incredibly high, and it's extremely important that developers provide proper protection for their users so that they don't become easy targets for criminals," Firsh said. "We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software – such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability."