Kaspersky Lab specialists discovered a breach in the Telegram client for Windows, which hackers used to mine cryptocurrency and install spyware since March 2017. Victims of intruders could be up to 1 thousand people, according to Kommersant.
According to experts, the vulnerability was to use an attack RLO (right-to-left override), through which attackers changed the order of characters in the name and file extension. Thus, the victim downloaded malicious software under the guise of, for example, images, and launched it themselves, unaware that it was an executable file. This allowed cybercriminals to gain remote access to victims' computers and use their computing capabilities to mine Monero, Zcash, Fantomcoin and others.
In addition, hackers installed spyware on computers. So, on the servers of cybercriminals, analysts found archives with the local cache of Telegram, which the criminals pumped out from the victims devices. Each of them, among other things, contained in various user materials in encrypted form: documents, audio and video recordings, photographs.
The detected artifacts allow us to suggest the Russian origin of the criminals. Some lines in the malicious code were in Russian, and in the "lit" email addresses of intruders appeared Russian words and names.
All cases of hacker attacks were recorded in Russia and only with a client for Windows. At the same time, Kaspersky Lab's specialists do not exclude that other platforms were exposed to vulnerabilities.
Currently, Telegram instant messenger developers are notified of the problem, the vulnerability is already closed.