A zero-day vulnerability impacting Telegram Messenger’s Windows client had been exploited in malicious attacks for months before being discovered and addressed.
Exploitation of the bug involves the use of a classic right-to-left override attack when a file is sent using the messenger service. The special nonprinting right-to-left override (RLO) character represented as ‘U+202E’ is used to reverse the order of the characters following it in the string.
Cybercriminals have discovered that they could leverage the character to mislead victims by hiding the name and extension of an executable file. Thus, if an application is vulnerable to the attack, the filename and extension would be displayed either incompletely or in reverse.
According to Kaspersky, which observed the attacks abusing the flaw, the attack chain involves sending malware in a message, but using the special character to hide it. A JS file could be renamed as photo_high_re*U+202E*gnp.js, which would make Telegram display the string gnp.js in reverse, thus appearing to the unsuspecting user as a PNG image file instead.
Kaspersky learned of the issue in October 2017 and, after an investigation into the matter, discovered that cybercriminals had been abusing it since at least March 2017, in a multitude of attack scenarios.
Some of the incidents, the researchers say, resulted in the attackers taking control of the victim’s system. For that, however, analysis of the target system’s environment and the installation of additional modules was necessary.
Such an attack starts with an initial downloader being sent to the target. It would achieve persistence and then begin checking for commands arriving from the control bot. The loader could silently deploy malicious tools such as backdoors, loggers, and other malware on the target system.
The vulnerability was also abused in attacks involving miners, Kaspersky says. The infection would start with an SFX archive with a script designed to launch a BAT file posing as an executable. The program would first open a decoy file, when it would launch two miners as services, using the nssm.exe utility for this operation.
One of the programs was nheq.exe, an Equihash miner for NiceHash (it mined Zcash in the observed attack), while the other was taskmgn.exe, a popular miner implementing the CryptoNight algorithm and used to mine Fantomcoin and Monero.
In some attacks, the batch script had extra capabilities, being able to disable Windows security features and to download an additional payload from a malicious FTP server. The payload contained more miners and a Remote Manipulator System (RMS) client for subsequent remote access.
On the malicious FTP server, the researchers discovered archives containing Telegram directories stolen from the victims, some of which were created in March 2017. Inside the archives, Kaspersky found “an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos.”
In another attack scenario, an SFX archive launching a VBScript was observed. It too would open a decoy image to distract the user, then fetch and run the payload, another SFX archive containing a script designed to control the launch of the miner CryptoNight (csrs.exe). The script monitors the task list and terminates the miner if a task manager (taskmgr.exe, processhacker.exe) is on that list.
“It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals,” Kaspersky says.
The researchers couldn’t determine which versions of Telegram were affected by the vulnerability, but they believe that the exploitation of flawed Windows clients started in March 2017. Telegram was informed on the bug and has since addressed it in its products.