Kaspersky Lab uncovered attacks in the wild that were making use of a Telegram desktop application vulnerability to install backdoors or mine cryptocurrency without the users noticing.
Telegram Zero-Day Vulnerability
The Kaspersky researchers said that the flaw was based on the right-to-left override (RLO) Unicode method, which is primarily used by languages that are written from right to left, such as Arabic or Hebrew. The RLO method provides a way to change direction of written words through a special invisible character, which is what the Telegram hackers used to exploit the app.
Although the exploit sounds quite ingenious--and it is--this type of attack has been used in email attachments for the past decade, and it’s probably a type of vulnerability against which the Telegram developers should have defended in their app.
Installing The Backdoor
Not to raise any suspicion (beyond the Windows prompt, at least), the malicious script will show an actual image of a cute kitten, too, to put the victims’ mind at ease that they made the right call clicking through that warning message to see it.
The script comes with two types of payloads. The first one is a miner application that mines cryptocurrencies for the attackers, and the second is a backdoor which gives them remote access to the victims’ machines.
One of the main rules for internet security is to be careful when downloading files from strangers online. Failing that, you should at least sandbox the application or use some other security solution that blocks malicious scripts from running on your machine.