Kaspersky Lab researchers have uncovered ‘in the wild’ attacks being carried out by a new piece of malware using a zero-day vulnerability in the Telegram Desktop app.
The vulnerability was used to deliver multipurpose malware, which depending on the computer can be used either as a backdoor or as a tool to deliver mining software. According to the research, the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, including Monero, Zcash, etc.
During their analysis, Kaspersky Lab experts identified several scenarios of zero-day exploitation in the wild by threat actors. Firstly, the vulnerability was exploited to deliver mining malware, which can be significantly harmful to users. By using the victim’s PC computing power, cybercriminals have been creating different types of cryptocurrency including Monero, Zcash, Fantomcoin and others. Moreover, while analyzing a threat actor’s servers, Kaspersky Lab researchers found archives containing a Telegram local cache that had been stolen from victims.
Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.
The artefacts discovered during the research indicate Russian origins of cybercriminals.
“The popularity of instant messenger services is incredibly high, and it’s extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals. We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software – such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability.” said Alexey Firsh, Malware Analyst, Targeted Attacks Research, Kaspersky Lab.
Kaspersky Lab products detect and block the exploitation cases of this discovered vulnerability.
In order to protect your PC from any infection, Kaspersky Lab recommends the following:
• Do not download and open unknown files from untrusted sources;
• Try to avoid sharing any sensitive personal information in instant messengers;
• Install a reliable security solution such as Kaspersky Internet Security or Kaspersky Free that detects and protects you from all possible threats, including malicious mining software.