Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Telegram users have fallen victim to a right-to-left override attack that fools them into thinking a Javascript file is a .PNG that, when run, installs cryptomining and command and control software.
  • The attack is reportedly confined to Russia, but as with similar attacks, it’s likely to spread. US-based security teams should make sure anyone who uses Telegram for work has the latest version, and warn employees not to open attachments from unknown sources.

Kaspersky Lab has reported the discovery of a zero-day flaw in popular messaging app Telegram that allowed hackers to install backdoors and cryptomining malware.

The Telegram hack, which only targets the Telegram desktop app, works by exploiting the right-to-left override (RLO) function used to display alphabets that read right to left, like Hebrew and Arabic. Using RLO to rename part of a file, as was the case in this attack, can convince a user to download malicious code disguised as a different type of file.

In a detailed breakdown of how the Telegram hack works, Kaspersky Lab malware analyst Alexey Firsh said the attack was only detected inside Russia, but that’s no reason to become complacent–attacks like this can easily spread.

Making a malicious message

RLO can be done on a document or message, as is the case when using a right-to-left alphabet. The unicode character U+202E will also reverse any text that comes after it, and can be used in file names as well as documents.

In the Russian Telegram hack detected by Kaspersky Lab, unicode RLO was done to a javascript file named gnp.js. The full file name, photo_high_re*U+202E*gnp.js, displays as photo_high_resj.png to its receiver, and the attacker has to hope that they’ll open the Javascript file, which in turn installs the attacker’s malicious software.

Clicking on the malicious file prompts a Windows security warning, as shown in the image below. Like similar attacks involving disguised files, the attack on the desktop Telegram app is relying on users to ignore warnings that, if read, should raise red flags.

What attackers are installing

Kaspersky Lab discovered two distinct malware types while investigating the Telegram RLO attack: Cryptomining software and a backdoor that used the Telegram API as a command and control protocol.

The cryptomining software installed by the attack, like others, uses the victim’s CPU and GPU to mine cryptocurrency for the attacker.

SEE: Infographic: Almost half of companies say cybersecurity readiness has improved in the past year (Tech Pro Research)

Cryptomining malware is dangerous, and can have a destructive effect on hardware that’s pushed to its limits for extended periods of time. That’s where the danger ends–the same of which can’t be said for the command and control software attackers are also installing.

The full list of commands available to the attacker, shown below, allow an attacker to install additional malware, steal system information, or kill processes that threaten its operation.

Kaspersky Lab also reported that its investigations uncovered the local cache of a user’s Telegram on a server belonging to an attacker, meaning it’s possible for attackers to steal personal data as well.

Kaspersky reached out to the Telegram team, and it said the zero day is no longer working in its tests of updated Telegram software.

Other chat programs and outdated versions of Telegram may still be vulnerable. IT teams need to be sure users who have Telegram are updated to the latest version, and that all users are trained on the importance of not opening files from unknown sources.

Also see