Hackers Exploit Right-to-Left Override Bug in Telegram to Distribute Malware

Hackers have exploited a bug in how Telegram’s Windows messaging client displays file names that contain a right-to-left override (RLO) character, to infect users with malware.

The RLO character, represented by “U+202E” in Unicode, indicates that the text following it should be displayed from right to left. This is useful for languages like Arabic, but can also be used maliciously to misled users.

For example, a file with the name photo*U+202E*gnp.bat might be displayed to users in applications as phototab.png, yet retain the original .bat extension which is an executable shell script in Windows.

This is not a new attack technique and hackers have used it for years. However, application developers that deal with filenames should account for it and block its misuse, which apparently hasn’t happened in the Telegram client on Windows.

Researchers from Kaspersky Lab became aware of Telegram-based RLO attacks at the beginning of October, but believe hackers have exploited the flaw since March of last year. In some of the attacks, cybercriminals sent users JavaScript files called photo_high_re*U+202E*gnp.js which Telegram displayed as photo_high_resj.png.

This tricked users into believing they were opening a PNG image, when in fact they were executing malicious JS scripts on their computers. Depending on their system’s security settings, users might have seen an additional Windows warning when opening such files.

According to the Kaspersky researchers, the Telegram attacks were launched primarily by Russian cybercriminals with the goal of distributing remote access Trojans and cryptocurrency mining malware.

“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability,” the researchers said in a blog post Tuesday. “What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.”

Lazarus Group Resumes Attacks on Banks and Eyes Bitcoin Users

A notorious hacking group tied to North Korea has launched a new attack campaign against global financial institutions and Bitcoin users.

The phishing campaign started in January and involves rogue documents with malicious macros that masquerade as job recruitment offers, according to researchers from McAfee’s Advanced Threat Research (ATR) team. If the documents are opened and the macros are executed, a previously unseen malware implant aimed at long-term data gathering will be installed on victims’ computers.

The implant, which has been dubbed HaoBao, is different from past Lazarus malware variants and also searches for Bitcoin-related software on infected computers.

“HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level,” the McAfee researchers said Monday in a blog post.

Lazarus is probably the most sophisticated hacker group that’s believed to be tied to North Korea. It has been active since at least 2009 and has attacked many government and private organizations from South Korea and the U.S. over the years, including Sony Pictures Entertainment in 2014.

In recent years the group has focused on breaking into financial institutions and central banks in order to steal large sums of money, supposedly for the North Korean government. Lazarus is considered responsible for the theft of $81 million from the central bank of Bangladesh is 2016 among other cyber heists.

The group’s new focus on Bitcoin is in line with North Korea’s increasing interest in cryptocurrencies.

Older Windows Systems Will Get Windows Defender Advanced Threat Protection

Microsoft has decided to expand Windows Defender Advanced Threat Protection (ATP) to Windows 8.1 and Windows 7. Until now, this technology has only been available on Windows 10.

Windows Defender ATP combines exploit prevention, malware detection, incident response and cloud-based analytics in a holistic security defense approach. Starting this summer, Microsoft will backport some of those features to older Windows versions to help companies who are migrating to Windows 10 but still have old systems on their networks.

“For Windows 7 and Windows 8.1, we are building a behavioral based EDR solution to give security teams rich insights into threats on their endpoints,” Rob Lefferts, partner director for Security & Enterprise in the Windows & Devices Group at Microsoft, said in a blog post Monday. “All detections and events are surfaced in Windows Defender Security Center, the cloud-based console for Windows Defender ATP. Security teams benefit from correlated alerts for known and unknown adversaries, additional threat intelligence, and a detailed machine timeline for further investigations and manual response options.”

ATP also supports devices running macOS, Linux, Android and iOS through partnerships with third-party security vendors that provide security solutions for those systems, including Bitdefender, Lookout, Ziften and SentinelOne.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 167 posts and counting.See all posts by lucian-constantin