Messenger Telegram spread malware to dig cryptocurrency
Messenger Telegram has spread malicious software to dig cryptocurrency . Researchers from Kaspersky Lab discovered cyber attacks that used malware infiltrating the zero-day void in the Telegram version of the computer-designed messenger. This previously unknown vulnerability has been used to provide a multi-tasking malware that, depending on the computer, can be used as a "backdoor" or as a software delivery tool for digging a cryptocurrency. The research shows that the gap has been actively used since March 2017 to generate cryptocurrency, including Monero and Zcash.
The Telegram messenger was used to infect computers
According to the zero-day gap study in the application, Telegram was based on the function used to encode languages in which the recording is carried out from right to left, for example Arabic or Hebrew. Unfortunately, this feature can also be used by malware writers to stealthily trick users into downloading malicious files, for example, hidden in the form of images.
The attackers used a hidden symbol in the file name, which inverted the direction of the characters, thus changing the name of the file itself. As a result, users downloaded hidden malware, which was then installed on their computers. Kaspersky Lab has reported this vulnerability to Telegram application developers. Since then, it has not been observed in the communicator.
During their analysis, Kaspersky Lab experts identified several scenarios of using the zero-day vulnerability by cybercriminals. First, the vulnerability was used to provide software for digging cryptocurrency, which could cause significant damage. Using the computing power of victims' computers, cybercriminals generated various types of cryptocurrencies - including Monero, Zcash and Fantomcoin. What's more, by analyzing cybercriminal servers, researchers from Kaspersky Lab found archives containing the local cache of the Telegram application, which was stolen from the victims.
Secondly, after effective exploitation of the vulnerability, the backdoor was installed, which used the Telegram communication interface (so-called API) as a control protocol, enabling cybercriminals to gain remote access to the victim's computer. The malware then acted in a silent mode, allowing the attackers to stay unnoticed on the network, performing various commands, including the further installation of spyware.
The linguistic traces detected in the malicious code indicate the Russian origin of cybercriminals.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.