Telegram Vulnerability Used for Multi-Purpose Attacks and Mining
Alexey Firsh, a specialist at Kaspersky Lab, published a detailed report about a vulnerability discovered in the Windows client for Telegram. According to the researcher, the issue was found back in October 2017 and was exploited for multi-purpose attacks targeting Russian users. The report states that the bug involved the use of a classic right-to-left override (RLO) attack when sending files to a recipient.
This attack technique is not new; it has been around for over a decade. The special non-printable right-to-left override character (RLO), represented in Unicode as ‘U+202E’, is used to reverse the order of the following characters in a string. RLO is legitimately used for writing in languages like Arabic. In an RLO attack, the character is used to mislead the victim, most often by disguising the name and extension of an executable file: vulnerable software displays the name partially or fully reversed.
Firsh explains that in Telegram, the bug was exploited as follows:
- The attacker prepares their malware for sending. For example, a JS file is renamed like this: evil.js → photo_high_re<U+202E>gnp.js, where <U+202E> is the RLO character, causing Telegram to reverse the remaining characters gnp.js. The file still has a .js extension.
- The attacker sends the message to the victim, but instead of a JS file, the recipient sees what appears to be a PNG image.
When opening this file, Windows will display a standard security warning—unless the relevant option has been disabled in system settings. If the user confirms, the malicious file is executed.
Real-World Exploitation Scenarios
Kaspersky Lab experts identified several real-world scenarios where the bug was exploited. The attack was used to gain control over the victim’s system by studying the environment and installing additional modules. In the first stage, the victim received a loader written in .Net that used the Telegram API as a command protocol. Telegram bots were used for control, with commands implemented in Russian.
The list of available commands showed that the bot could covertly deploy arbitrary backdoors, loggers, and other malware on the target system. The table below lists the full set of commands:
| Command | Function |
|---|---|
| Онлайн | Send the controlling bot a list of files from its directory. |
| Запус | Run an executable file via Process.Start(). |
| Логгер | Checks if the tor process is running, downloads logg.zip, unpacks it, deletes the archive, and runs its contents. |
| Скачать | Download a file to its directory. |
| Удалить | Delete a file from its directory. |
| Распаковать | Unpack an archive with a specified password from its directory. |
| убить | Stop a specified process via process.Kill(). |
| скачат | Same as “Скачать” (Download), only the command parsing differs. |
| запуск | Same as “Запус” (Run), only the command parsing differs. |
| удалить | Same as “Удалить” (Delete), only the command parsing differs. |
| распаковать | Same as “Распаковать” (Unpack), only the command parsing differs. |
| процессы | Send the controlling bot a list of running processes on the PC. |
Additionally, cryptocurrency miners were installed on the victims’ devices. In the first stage of the attack, an SFX archive with a script was used to launch an embedded executable file, run.exe, which was actually a BAT file. After extraction, the batch script performed the following actions:
- First, it opened a decoy file (an image) to distract the victim.
- Then, it sequentially launched miners as services using the nssm.exe utility, which was included in the same SFX archive.
For example, nheq.exe launched an Equihash miner for NiceHash (mining Zcash), utilizing both CPU and GPU resources. taskmgn.exe was another well-known miner using the CryptoNight algorithm, mining Fantomcoin and Monero.
Experts also found other variations of the batch script, some with additional capabilities. For instance, some could disable Windows security systems, then log in to the attackers’ FTP server to download and run a payload. This payload was an SFX archive containing new miners and a Remote Manipulator System (RMS) client, similar to TeamViewer. Using AutoIt scripts, the malware deployed RMS on the targeted system for subsequent remote access.
Other Attack Scenarios
Another attack scenario (see diagram above) also began with an SFX archive, which, when opened, launched an embedded VBS script. Its main task was to open an image to distract the victim, then download and run a payload: another SFX archive with the following script.
The svchost.vbs script controlled the launch of the CryptoNight miner (csrs.exe), monitored running processes, and if it detected Task Manager (taskmgr.exe, processhacker.exe), it would terminate the miner process and restart it after the manager was closed. The mining pool address corresponded to Monero.
Conclusion
Firsh concludes that this vulnerability in the Windows client for Telegram was apparently only known to Russian cybercriminals, as all detected exploitation cases occurred in Russia. Detailed analysis of the attacks revealed numerous artifacts pointing to Russian-speaking attackers.
“We do not have exact information on how long or in which versions the vulnerability was present, but we can confirm that exploitation began in March 2017. We notified the developers about the issue, and as of today, the vulnerability no longer exists in Telegram products,” the researcher summarized.