Telegram 0-Day Used to Spread Monero and Zcash Mining Malware[source: bleepingcomputer]
by CIRT Team
Malware authors have used a zero-day vulnerability in the Windows client for the Telegram instant messaging service to infect users with cryptocurrency mining malware, researchers from Kaspersky Lab plan to reveal today.
The zero-day has been fixed in the meantime, but Kaspersky researcher Alexey Firsh says crooks appear to have used the flaw for months before he discovered it last October.
The ol’ filename fliparoo
According to Firsh, the zero-day is in how the Telegram Windows client handles the RLO (right-to-left override) Unicode character. This character is used to switch between RTL to LTR text display.
Firsh says crooks spammed Telegram users with messages containing file attachments. The file names contained the RLO character, which changed text display direction right in the middle of the file’s name.
For example, in one campaign crooks sent users a file named “photo_high_re*U+202E*gnp.js”, where *U+202E* is the RLO character.
For more, click here.