Cybercriminals exploited Telegram flaw to deliver malware

Kaspersky Lab researchers discovered a flaw in Telegram’s desktop instant messaging client for Windows was exploited for months by Russian cybercriminals to deliver malware to users.

“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017,” malware analyst Alexey Firsh shared.

The hackers took advantage of the fact that the Telegram app for Windows accepts and uses a specific character.

The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.

This is just what happened in these attacks: the criminals prepared the malware (a JavaScript file) and gave it a name and icon that is unlikely to raise suspicion with many users (but would not change the nature of the file).

For example: the file name photo_high_re*U+202E*gnp.js would show as photo_high_resj.png.




%d bloggers like this: