Hackers Exploit Right-to-Left Override Bug in Telegram to Distribute Malware
Hackers have exploited a bug in how Telegram’s Windows messaging client displays file names that contain a right-to-left override (RLO) character, to infect users with malware.
The RLO character, represented by “U+202E” in Unicode, indicates that the text following it should be displayed from right to left. This is useful for languages like Arabic, but can also be used maliciously to misled users.
For example, a file with the name photo*U+202E*gnp.bat might be displayed to users in applications as phototab.png, yet retain the original .bat extension which is an executable shell script in Windows.
This is not a new attack technique and hackers have used it for years. However, application developers that deal with filenames should account for it and block its misuse, which apparently hasn’t happened in the Telegram client on Windows.
Researchers from Kaspersky Lab became aware of Telegram-based RLO attacks at the beginning of October, but believe hackers have exploited the flaw since March of last year. In some of the attacks, cybercriminals sent users JavaScript files called photo_high_re*U+202E*gnp.js which Telegram displayed as photo_high_resj.png.
This tricked users into believing they were opening a PNG image, when in fact they were executing malicious JS scripts on their computers. Depending on their system’s security settings, users might have seen an additional Windows warning when opening such files.
According to the Kaspersky researchers, the Telegram attacks were launched primarily by Russian cybercriminals with the goal of distributing remote access Trojans and cryptocurrency mining malware.
“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability,” the researchers said in a blog post Tuesday. “What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.”
Lazarus Group Resumes Attacks on Banks and Eyes Bitcoin Users
A notorious hacking group tied to North Korea has launched a new attack campaign against global financial institutions and Bitcoin users.
The phishing campaign started in January and involves rogue documents with malicious macros that masquerade as job recruitment offers, according to researchers from McAfee’s Advanced Threat Research (ATR) team. If the documents are opened and the macros are executed, a previously unseen malware implant aimed at long-term data gathering will be installed on victims’ computers.
The implant, which has been dubbed HaoBao, is different from past Lazarus malware variants and also searches for Bitcoin-related software on infected computers.
“HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level,” the McAfee researchers said Monday in a blog post.
Lazarus is probably the most sophisticated hacker group that’s believed to be tied to North Korea. It has been active since at least 2009 and has attacked many government and private organizations from South Korea and the U.S. over the years, including Sony Pictures Entertainment in 2014.
In recent years the group has focused on breaking into financial institutions and central banks in order to steal large sums of money, supposedly for the North Korean government. Lazarus is considered responsible for the theft of $81 million from the central bank of Bangladesh is 2016 among other cyber heists.
The group’s new focus on Bitcoin is in line with North Korea’s increasing interest in cryptocurrencies.
Older Windows Systems Will Get Windows Defender Advanced Threat Protection
Microsoft has decided to expand Windows Defender Advanced Threat Protection (ATP) to Windows 8.1 and Windows 7. Until now, this technology has only been available on Windows 10.
Windows Defender ATP combines exploit prevention, malware detection, incident response and cloud-based analytics in a holistic security defense approach. Starting this summer, Microsoft will backport some of those features to older Windows versions to help companies who are migrating to Windows 10 but still have old systems on their networks.
“For Windows 7 and Windows 8.1, we are building a behavioral based EDR solution to give security teams rich insights into threats on their endpoints,” Rob Lefferts, partner director for Security & Enterprise in the Windows & Devices Group at Microsoft, said in a blog post Monday. “All detections and events are surfaced in Windows Defender Security Center, the cloud-based console for Windows Defender ATP. Security teams benefit from correlated alerts for known and unknown adversaries, additional threat intelligence, and a detailed machine timeline for further investigations and manual response options.”
ATP also supports devices running macOS, Linux, Android and iOS through partnerships with third-party security vendors that provide security solutions for those systems, including Bitdefender, Lookout, Ziften and SentinelOne.