CyberWisdom Safe Harbor Commentary on Telegram messaging app:
theregister.co.uk and securityaffair.co lays out how Telegram has fixed a security hole in its desktop application that hackers spent months crafting vulnerabilities to install remote-control malware and cryptocurrency mines on vulnerable Windows PCs.
Kaspersky researcher, Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version in October found a mess of programming. It is believed that at least March, criminals have been exploiting this loophole flaw. The flaw stems from the unicode character of how its online chat application handles languages that read right-to-left, such as Hebrew and Arabic.
Telegram messaging app vulnerability
The bad news is that the Telegram zero-day flaw was exploited by field-threatening actors to provide cryptocurrency miners for Monero and ZCash.
According to the expert, at least since March 2017, hackers have actively exploited this loophole. Attacker cheats victim to download cryptocurrency miner or build backdoor.
“We learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in October 2017. It involves the use of classic right-to-left coverage attacks when users send files over the messenger service.” Read the experts Analysis.
RLO Code in Telegram messaging app
The vulnerability relates to the way the Telegram Windows client handles RLO (right-to-left) Unicode characters (U + 202E), which are used in any way that uses write-mode right-to-left (such as Arabic or Hebrew) language.
Attackers use hidden RLO Unicode characters in file names to reverse the order of characters so filenames can be renamed. In a real attack scenario, the attacker sends the file to the intended recipient.
The hacker made a malicious code to send the message, assuming it was a JS file and it was renamed as:
evil.js -> photo_high_re * U + 202E * gnp.js (- * U + 202E * is a RLO character)
The RLO characters contained in the file name are used by the attacker to reverse display the string gnp.js, the junk file is js, and the victim is deceived to believe it to be a harmless .png image.
Telegraph messaging app zero day attack scenario
When the user clicks the file, Windows displays the notification if the security notification is not disabled in the system settings.
If the user ignores the notification and clicks “Run,” malicious code is executed.
The expert reported the company’s zero-day telegram and immediately fixed the defect.
Kaspersky Lab reported on a Telegram bug and no zero-day vulnerabilities have been observed in the Messenger product at the time of release, “said Kaspersky’s analysis.
“During the analysis, Kaspersky Lab experts identified several situations that threaten the use of the artist for zero time in the field.”
Analysis of the server used by the attacker indicates that there is a file that contains the local cache of the telegram, which means that the threat actor uses this vulnerability to steal the victim’s data.
In another attack scenario, the crook triggered the vulnerability by installing a malware that uses the Telegram API as a command and control mechanism.
Second, after the exploit was successfully exploited, a backdoor that uses the Telegram API as a command and control protocol was installed, causing the hacker to gain remote access to the victim’s computer.After the installation was complete, it began running in silent mode, which allowed the threat Actors are not noticed in the web and execute different commands, including further installations of spyware tools. “Continue the analysis.
According to the researchers, this loophole was known only to Russian criminal gangs and was not triggered by other crooks.
To mitigate the attack, download and open the file only from the trusted senders.
The security company also advises users to avoid sharing any sensitive personal information in their communications applications and to ensure that the company’s good anti-virus software is installed on the system.
Google Translate for Business:Translator ToolkitWebsite Translator
Java script file
This nasty software can open a back door, snoop on a trademark, my alt-coins and much more. To the best of our knowledge, the cable company has corrected the errors in its open source applications.
“Special non-printable right-to-left overwrite (RLO) characters are used to reverse the order of characters after characters in a string,” Kaspersky’s Alexey First explained today.
“In a Unicode character table, it is represented as ‘U + 202E’; one legally used area is when entering Arabic text.
“This character can be used to mislead a victim during an attack and is usually used when displaying the name and extension of an executable: a software vulnerable to such an attack will display an incomplete or opposite file name.”
Unicode Telegram Handling Disguises as .PNG .JS Files
Kaspersky staff found that there are many ways hackers use this mistake. First, it was used to trick victims into installing remotely-accessed trojans that regularly ping Russian servers and open a back door so criminals can remotely control the infected system.
In keeping with current trends, hackers also exploit vulnerabilities to install multiple copies of Web-cash-mining software that makes Zcash, Fantomcoin and Monero coins.
“It seems that only Russian cybercriminals are aware of this loophole and that all the development cases we have found have taken place in Russia. In parallel with a detailed study of these attacks, we have uncovered a large number of antiquities” directed by Russian cybercriminals ” Recommended reading.
“We have no definitive information on when and what version of the Telegraph product was affected by this vulnerability, and what we know about it is that its use of the Windows client started in March 2017. We informed Telegraph developers of this issue and Telegram products This loophole no longer exists. ”
Less than a year from the last telegram serious flaws, the issue of security has always existed. It did not acquiesce to encrypting information end-to-end, and it used its own indigenous cryptography, which worries experts. Telegram insists its software is secure. Radicals in repressive regimes may want to use more tried and tested methods, such as Signal, to avoid accidental assault and death in suicide.
When can Telegram become safe?
Unicode clumsiness allowed months of malware installations Telegram has fixed a security flaw in its desktop app that hackers spent several months exploiting to install remote-control malware and cryptocurrency miners on vulnerable Windows PCs. Engaging post, Read More…
thumbnail courtesy of theregister.co.uk
Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware
Security researcher Alexey Firsh at Kaspersky Lab last discovered a Telegram zero-day in the desktop Windows version that was exploited in attacks in the wild. Security researcher Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version of the popular Telegram instant messaging app. The bad news is that the… Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »