Zero-day vulnerability in Telegram exploited by Cyber Criminals to mine Cryptocurrency - Everything you need to know along with source code of miners

Inshort :- A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

In October 2017, a security researcher Alexey Firsh from Kaspersky Lab found a vulnerability in Telegram Desktop app. Also, the vulnerability is reported but there are no steps taken till now. That's the reason it is known as zero-day vulnerability in Telegram. It affects only the Windows client of Telegram messaging software.

This flaw can be used in many ways to install any kind of malicious software on someone's PC without their consent. And attackers take it as a benefit and have actively exploited this flaw to inject viruses, ransomware, to spy on someone, steal private information and more. Not only this, but from the past 2 days this flaw is also exploited to mine cryptocurrency on someone's desktop.

To know more about this, one should first know what actually the vulnerability is and how can it be exploited. After that, we sill see how this vulnerability can be used for making further attacks. So, let's get started...

What exactly the flaw in telegram is and how is it exploited?

Basically, everything starts by knowing that there are two kind of human languages. One that is written from left-to-right and other is written from right-to-left. We all know many languages that are written from left-to-right such as English language. But the languages like Arabic or Hebrew are written from right-to-left. Oh... you might be thinking why this is so important to know in a field like hacking! So, let's move forward.

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right-to-left. This Unicode character is used to display the string from right-to-left instead of left-to-right.

In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.

Now let's see how this concept is used in performing hacks. Below is an account of how this vulnerability was exploited in Telegram:

• The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:
  
  evil.js -> photo_high_re*U+202E*gnp.js
  
  Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.
• The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:

Hence, this kind on vulnerability makes a user download a malicious software on his/her desktop and then that script gets executed and everyone here knows what will happen next. The piece of malware installed can download another payload from some insecure website, turn windows security down, take control over startup of the desktop and much more. That means, you can do anything you want once you get control of the system by installing malware on it.

Update:- Source code of malware and cryptocurreny miners is removed from this site due to leak of harmful data. And I would not take the responsibility of its misuse, so it was better to remove it from here. Though, I am dropping a link at the end of this article to a website where you can find them. Take a risk to visit it if you want.

How is it used to mine cryptocurrency?

The task in done in various small steps. In the first step, the malware gets installed on the system and takes remote control of the system. Hence, now it can do whatever the hell it wants. It uses telegram API to find a bot that can control the whole system remotely.

Click to see full size image

Now the thing is, how is this bot able to control the whole system. Thanks to Telegram that it allows bots to execute commands on the system. The bot sends malicious commands and they are run on your system. On analyzing, security researchers found that this commands are written in Russian. The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. 

The next step taken by this malware is, it changes the Windows Startup Registry and makes a place for itself inside it. That makes this malware run everytime your Computer boots up. Now, at this stage malware has got a way to get inside your memory everytime you boot up your desktop.

In this last stage, it downloads a cryptocurrency miner from untrusted websites and install them on your PC. It also adds the miner in startup so that mining starts as soon as you start your OS. Also much more was discovered about its use and one such thing I would like to mention here is, the malware also installed a spyware on the system. An FTP server was found with dumps of Telegram Users' data. Mentioning everything here is out of my capacity - just google it.

How to protect yourself?

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources. The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

Stay in touch for more updates.. Thanks!