Hackers have been able to exploit a vulnerability in Telegram’s messaging desktop app enabling it to mine for cryptocurrencies including Monero and Zcash, according to Kaspersky Lab.
The Russian security firm announced on its website that they discovered ‘in the wild’ attacks being carried out by a new piece of malware using a zero-day vulnerability in the Telegram desktop app. Research suggests that the vulnerability has been actively exploited since March 2017.
According to Kaspersky, the zero-day vulnerability was based on the right-to-left override (RLO) Unicode method. The attackers then used a hidden Unicode character in the name, which reversed the order of the characters of the file.
“As a result, users downloaded hidden malware which was then installed on their computers,” said Kaspersky Lab.
During the research the security company determined several scenarios of zero-day exploitation. One of which was to deliver mining malware to create different types of digital currencies such as Monero, Zcash, and Fantomcoin. The second exploitation was to serve as a backdoor to remotely gain access to a victim’s computer.
While analysing a threat actor’s servers, Kaspersky Lab also discovered archives containing a Telegram local cache that had been stolen from victims.
Kaspersky said that it had reported the vulnerability to Telegram ‘and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.’
Alexey Firsh, malware analyst at Kaspersky Lab, said:
“We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software – such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability.”
Over the weekend thousands of websites in the U.K. and worldwide were reportedly infected with malware that used victims computers to mine cryptocurrency.
On Sunday, the BBC reported that the U.K.’s data protection website, the Information Commissioner’s Office (ICO) had taken down its website after receiving a warning that it had been infected by malware. Several English councils, the Student Loan Company, and the National Health Service (NHS) were also targeted.
The malware was added to website codes through Browsealoud, a plugin that helps the blind and partially sighted to access to the Internet. Texthelp, which operates Browsealoud, took its website down as it worked at resolving the issue. The malicious software, Coinhive, then used users’ computing power to mine Monero. It’s reported that over 5,000 websites were affected as a result.