Kaspersky Lab has revealed that in October 2017, they had discovered a flaw in Telegram Messenger’s Windows desktop client that was being exploited “in the wild”. According to Kaspersky, the flaw has allegedly been by Russian cybercriminals in a cryptomining campaign.
The Telegram vulnerability involves the use of an RLO (right-to-left override) attack when the user sends a file through the messenger.
RLO Unicode method is primarily used for coding languages that are written right-to-left, such as Hebrew or Arabic, but hackers can use it to trick users into downloading malicious files. When an app is vulnerable to attack, it will display a filename incompletely or in reverse.
Kaspersky has said that it seems that only Russian cybercriminals were aware of this flaw and were exploiting it — not to spread ransomware but cryptomining malware.
The attacks enabled cybercriminals to not just spread the cryptomining malware but also to install a backdoor to remotely control victims’ computers.
“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017,” read the report Kaspersky published on the flaw.
In the report, Alexey Firsh, cyberthreat researcher at Kaspersky, has outlined several scenarios that show cases of how the vulnerability was actually exploited.
He also wrote that Telegram was informed of this flaw and it no longer occurs in their products.