Kaspersky Lab, the Russian Cyber Security Firm

There was a report by that the attackers had discovered an exposed backdoor in Telegram Messenger, this vulnerability helped the attackers unknown to the owners turn computers into cryptocurrency miners.

These clandestine crypto mining operations had been going on since March 2017 reported Kaspersky Labs, the company that discovered and exposed the cyber attacks. Kaspersky also said a zero-day vulnerability in the Telegram messenger desktop app gave the attackers the ability to create and spread a never before seen the type of malware that could create a backdoor Trojan and also mine cryptocurrency.

A Kaspersky lab analyst said they had found quite a number of possible actions of the zero-day exploitation which asides from being spyware and malware, could also send unknown and unseen software for mining cryptocurrency, and that infections like that had become a global phenomenon.

Here is a little insight into the operation of the Telegram vulnerability; there is a way the Telegram Windows client deals with the RLO (right-to-left override) Unicode character (U+202E), in that process lays the vulnerability. However, that RLO Unicode Character is how languages are written from right to left (like Hebrew or Arabic) are coded. Kaspersky’s report states that a hidden RLO Unicode Character contained in the file name that flipped how the characters were ordered, thereby giving the file a new name was how the malware creators got access to computers. Like in this example, an attacker names a file “IMG_high_re*U+202E*gnp.js” and sends to someone using the Telegram messenger, the file seen at the User’s end will be “IMG_high_resj.png” (notice how a flip has happened to the file format), the user then clicks on the file thinking it is a picture file, then a JavaScript file containing the malware would be secretly downloaded.

Founder of Telegram

However, the founder of the Telegram application did not waste time in deemphasizing the allegations. He is of the opinion that antivirus companies always do the most at stretching the severity of their results, just to excite the public, and as such, should not be taken seriously. He also rebuffed Kaspersky’s claim by explaining that what they uncovered was nothing near a vulnerability of the Telegram messaging app, and also that there was no way cybercriminals could gain access to users’ computers without the users opening something malicious. He further assured Telegram users that they were safe and had always been safe.

According to Kaspersky, Fantomcoin, Monero, Zcash and other cryptocurrencies were acquired, and according to the evidence they had, Russians were behind the malware, and also that it could be used as a backdoor for hackers to gain access and silent control of users’ computers. Records of a Telegram local cache which most likely was stolen from victims was found in the process of doing their analysis of malicious servers.