Messenger Telegram spread malware to dig cryptocurrency

Messenger Telegram has spread malicious software to dig cryptocurrency . Researchers from Kaspersky Lab discovered cyber attacks that used malware infiltrating the zero-day void in the Telegram version of the computer-designed messenger. This previously unknown vulnerability has been used to provide a multi-tasking malware that, depending on the computer, can be used as a "backdoor" or as a software delivery tool for digging a cryptocurrency. The research shows that the gap has been actively used since March 2017 to generate cryptocurrency, including Monero and Zcash.

Communicator Telegram harmful message
Przestępcy wysyłali plik JS przypadkowym użytkownikom. Plik na pierwszy rzut oka przypominał PNG.
Communicator Telegram JavaScript code
Dopiero przy próbie otworzenia pliku wychodził na jaw z jakim plikiem użytkownik ma do czynienia.

The Telegram messenger was used to infect computers

According to the zero-day gap study in the application, Telegram was based on the function used to encode languages ​​in which the recording is carried out from right to left, for example Arabic or Hebrew. Unfortunately, this feature can also be used by malware writers to stealthily trick users into downloading malicious files, for example, hidden in the form of images.

The attackers used a hidden symbol in the file name, which inverted the direction of the characters, thus changing the name of the file itself. As a result, users downloaded hidden malware, which was then installed on their computers. Kaspersky Lab has reported this vulnerability to Telegram application developers. Since then, it has not been observed in the communicator.

Telegram of BAT messenger

During their analysis, Kaspersky Lab experts identified several scenarios of using the zero-day vulnerability by cybercriminals. First, the vulnerability was used to provide software for digging cryptocurrency, which could cause significant damage. Using the computing power of victims' computers, cybercriminals generated various types of cryptocurrencies - including Monero, Zcash and Fantomcoin. What's more, by analyzing cybercriminal servers, researchers from Kaspersky Lab found archives containing the local cache of the Telegram application, which was stolen from the victims.

Secondly, after effective exploitation of the vulnerability, the backdoor was installed, which used the Telegram communication interface (so-called API) as a control protocol, enabling cybercriminals to gain remote access to the victim's computer. The malware then acted in a silent mode, allowing the attackers to stay unnoticed on the network, performing various commands, including the further installation of spyware.

The linguistic traces detected in the malicious code indicate the Russian origin of cybercriminals.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.