Malware in Telegram has utilized the app to mine Monero and other cryptocurrencies.

BleepingComputer reports that the popular secure messaging service, Telegram, has been used to spread malware that primarily mined Monero, Zcash, and Fantomcoin, but in some instances also downloaded backdoor trojans and other spyware tools. Hackers utilized a zero-day vulnerability for months that was first discovered in October of 2017, but has since been fixed according to Kaspersky researcher Alexey Firsh. This recent news emphasizes the need for vigilance and to always be skeptical of downloads, especially those of unknown origin.

Malware spread by tricking users

As BleepingComputer cites a 2013 F-Secure report, the malware attack was not all that “innovative” and really just used an “old trick .. that was known for at least half a decade”. Firsh said that “it appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia”. He also added that they “don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability,” but “do know is that its exploitation in Windows clients began in March 2017.” It seems that known vulnerability has been plugged, but infected computers may still be operating with this malware.

The malware took advantage of the Telegram windows’ software right-to-left override (RLO) Unicode character, which allows the switch between right-to-left and left-to-right text reading. This trick can be used to hide the real extension of a program. Using one attack as an example, where *U+202E* is the RLO Unicode character, a malicious JavaScript malware program entitled “photo_high_re*U+202E*gnp.js” would be displayed as “photo_high_resj.png”. To a quick glance and fast-to-click download this looks like a harmless .png image download. By the time a user may realize, their computer would already be infected.

The importance of strong community funding and support, as well as the ASIC factor

Cryptocurrency’s young age, recent spikes in price, and inherent integration with technology makes it a favorable booty for criminals and hackers to catch without putting in honest work to fairly acquire coins. Cyberspace and developers are attentively vigil for vulnerabilities that will attack honest actors. To help circumvent attacks, Dash is pursuing a partnership with bugcrowd to create bounties for bugs in the Dash codebase. Even though bugs can be created anywhere, such as the one with Telegram, and not just with a cryptocurrency’s core code, it still helps to have a funded community that actively seeks out and fixes bugs. A proprietary Dash bug bounty program ensures that funding is available to pursue such issues on Dash-related software such as wallets, setting a higher standard for the Dash ecosystem as a whole.

Additionally, the lack of mining hardware such as ASICs make such botnet mining attacks more profitable, and therefore more prevalent, on those chains, potentially leading to large portions of the network hashrate being traced back to malicious actors. However, while industrialized mining secures against these sorts of malicious approaches to a certain degree, it also adds a risk of centralization of hashpower in one or few services.