User’s of Telegram’s desktop client were delivered crypto-mining malware thanks to this zero-day vulnerability.
There’s good news, and then bad news. We like to start with the good news right? Alright then, the good news is that Telegram is no longer affected by this zero-day exploit. Want some more good news? If you were not a user of Telegram’s desktop client, then you were safe. The last bit of good news? If you’re mot in Russia, you were probably not a target either. Now, on to the bad news.
The bad news is that there was a zero-day exploit that was being used against users of Telegram’s desktop client. Want some more bad news? The exploit was being used for months before it was discovered by Kaspersky security researcher Alexey Firsh. The last bit of bad news? Thsis exploit was based upon a vulnerability that has been known since 2013.
The vulnerability itself came down to how Telegram’s Windows client handled the RLO (right-to-left override) Unicode character. Using this code, malicious actors could camouflage malware as simple image files.
**For example, in one campaign crooks sent users a file named “photo_high_re*U+202E*gnp.js”, where *U+202E* is the RLO character.
When the file’s name was rendered on screen, the last part of the name was flipped and the file appeared as “photo_high_resj.png”**
Users would click what appeared to be a simple image file, and would welcome backdoors, crypto miners, and spyware to their systems. It appears that the primary payload was crypto-miners, which turned users machines into Monero, Zcash, and Fantomcoin miners. Kaspersky believes the attack was being carried out by Russian actors, to Russian victims.
Source: Bleeping Computer