Delaware, USA – February 14, 2018 – Researchers from Kaspersky Lab discovered a zero-day vulnerability in the Windows client for Telegram software, which has been used by attackers for almost a year to infect users with malware. In October 2017, researchers spotted a vulnerability that allows attackers to perform a right-to-left override attack. Further investigation showed that this flaw had been actively used by attackers since March last year. They exploited this flaw to disguise malware for image files and sent out to their victims. The analysis of discovered samples showed that they were designed to remotely control compromised systems or to install various cryptocurrency miners. In the first case, they sent downloader and used the control bot to deploy various malware including logger and backdoors. In the second case, attackers sent malicious SFX archive, which was capable of installing several cryptocurrency miners and upload the contents of the local Telegram cache to FTP.
The latest Telegram update fixes this vulnerability. To detect the activity of malware that bypasses standard security solutions, you can use APT Framework use case for your SIEM. It will help your SIEM detect malicious activity at various stages of Cyber Kill Chain.