You all know that launching random executable files is not a good idea. But what about opening images? Surely, a funny cat picture received via an instant messaging app can't be that harmful, can it? Under normal circumstances, it can't, which is why hackers have been on the hunt for ways of making malicious files look like harmless images. A vulnerability in the Telegram IM application gave them the chance to do just that. Kaspersky's researchers explained how it all happened.
The attack involves a technique called Right-to-Left Override. Security experts first spotted it years ago, and they know very well how it works. What they didn't know was that the Telegram messaging application was vulnerable to it.
The attack relies on a Unicode character represented as "U+202E" which has a perfectly legitimate use – writing text in right-to-left languages like Hebrew and Arabic. Hackers, on the other hand, use it for obfuscating file extensions. U+202E is a non-printing character which means that it doesn't appear in a normal string of text. When it's put in the right place, it can easily fool victims into thinking that they're opening a benign image or text file when, in fact, they're launching an executable. Here's how it works.
Take a JS file named "DSC011126GPJ.JS" and put the U+202E character between "6" and "G". Without showing up in the file name, the Unicode character will reverse the order of the characters that appear after it, and the file name will look like this: "DSC011126SJ.JPG". That looks like the name of a JPEG picture taken with a digital camera. In reality, it's not. It's still a JS file. The U+202E character doesn't change the contents of the file, and if there's malicious code in it, it will run. As Kaspersky's experts noted, under its default settings, Windows will warn the users that they're about to launch an executable file, but the fact that the attack worked in the wild shows that there's no shortage of people who have ignored the prompt.
The researchers first spotted the attack in October, but after further investigation, they found campaigns dating back to March 2017. Once the malicious file was run, a downloader would be written the disk, and it would modify the system's registry to achieve persistence. Then, it would contact a Telegram bot that acted as a Command & Control (C&C) server and would wait for instructions, which, curiously enough, were written in Russian.
The downloader's purpose was, as you might imagine, to download and deploy second-stage payloads, which, for the most part, consisted of cryptocurrency miners. The malicious software was quite clever. In addition to generating crypto coins, the miners displayed decoy documents to distract the victims, and some of them even monitored the list of active processes and temporarily seized the mining activity when they saw that the Task Manager is running. In some cases, several miners were launched at the same time, and they mined for all sorts of cryptocurrencies, including Monero, Zcash, and Fantomcoin.
In other instances, the downloader would deploy a Remote Manipulator System similar to TeamViewer which gave hackers additional access to the compromised endpoint, and the researchers also spotted a payload that was specifically designed to steal artifacts from Telegram's local cache.
Of course, these are only the payloads Kaspersky monitored. The experts said that the full scope of the attack remains unknown. The good news is, after learning about the issue, Telegram patched their product, and right now, it's no longer possible to abuse the IM application in this particular way. The use of what is now an ancient confidence trick shows, however, that you should be careful with all the files you receive, regardless of how legitimate they appear.