Telegram Desktop App Latest Victim of Cryptocurrency Mining Malware

Messaging app Telegram has become the latest victim of cryptocurrency mining malware, as researchers at Kaspersky Lab have revealed a now-patched vulnerability that allowed hackers to exploit a flaw in the platform’s file transfer service.

Kaspersky said that the vulnerability, which was first exploited in March 2017 and discovered by researchers in October, was a “classic right-to-left override attack.”

Simply put, this attack exploited the portion of Telegram’s software that enabled the messenger to recognize Arabic and Hebrew, languages which are read right to left. The hackers were able to use this feature to reverse the order of characters in filenames, which allowed them to disguise suspicious file extensions as images or other seemingly non-threatening file types.

After users downloaded the files, embedded scripts would silently unleash a malware payload on the target operating system. One of the most prominent payloads was malware that harnessed the target computer’s processing power to mine cryptocurrencies for the attackers.

cryptocurrency mining malware
Source: Kaspersky

These miners were primarily developed for the Equihash and Cryptonight mining algorithms, which are employed by privacy-centric cryptocurrencies Zcash (ZEC) and Monero (XMR), respectively.

Although the vulnerability affected all Telegram users, Kaspersky said that it appears only Russian hackers exploited it, which is why the vast majority of victims were Russian residents.

These types of attacks have become quite common in recent months, particularly since the development of CoinHive, a mining script that can be implemented into the background of websites and used to harness the computing power of visitors.

As BlockExplorer reported, more than 4,200 websites hosted by government agencies in the US and UK have recently been compromised through the use of a tool called BrowseAloud and injected with CoinHive-based mining malware scripts.

Telegram denied that exploit was the result of a “real vulnerability,” arguing that users bore responsibility for choosing to download the files.

“This is not a real vulnerability on Telegram Desktop, no one can remotely take control of your computer or Telegram unless you open a (malicious) file,” Reuters cited the company as saying in a statement.

Nevertheless, the timing of the vulnerability’s disclosure is awkward for Telegram, as the company is reportedly preparing to launch a record-shattering initial coin offering (ICO) that could raise up to $2 billion.

Featured Image from MaxPixel

David Murray

David has been following the development of cryptocurrency technology for several years, and he is optimistic about its potential to democratize the financial system.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.