Makers of the Telegram instant messenger have fixed a critical vulnerability that hackers were actively exploiting to install malware on users’ computers, researchers said Tuesday.
The flaw, which resided in the Windows version of the messaging app, allowed attackers to disguise the names of attached files, researchers from security firm Kaspersky Lab said in a blog post. By using the text-formatting standard known as Unicode, attackers were able to cause characters in file names to appear from right to left, instead of the left-to-right order that’s normal for most Western languages.
The technique worked by using the special Unicode formatting *U+202E* which causes text strings following it to be displayed from right to left. As a result, Telegram for Windows converted files with names such as “photo_high_regnp.js” to “photo_high_resj.png,” giving the appearance they were benign image files rather than files that executed code.
Malware that uses right-to-left formatting dates back to at least 2009. Four years ago, the right-to-left Unicode trick made a reappearance with malware that targeted computers running both Windows and macOS.
Kaspersky Lab said hackers with ties to Russian crime gangs were exploiting the Telegram vulnerability to install two types of malware on vulnerable computers. One type of malware acted as a persistent backdoor that gave the attackers complete control over the compromised computer. The other malware mined cryptocurrency. It’s not clear when Telegram fixed the vulnerability. To be exploited, targets would have to click through a Windows warning similar to the one pictured above. Kaspersky Lab said the flaw affected only the Windows version of the app.