The specialists of «Kaspersky Lab» in the client of Telegram messenger for Windows was discovered the vulnerability used by the attackers since at least last March. At the moment it has been resolved.
The vulnerability is to send malicious files disguised as images, documents or videos by non-printable character RLO (right-to-left override). His task is to change the order of the characters following him.
RLO is usually used for typing in Arabic, but in the case of Telegram hackers use U+202E (RLO representation in the Unicode table) to disguise malicious files. For example, «photo_high_re*U+202E*gnp.js» (the script), you will see the victim as «photo_high_resj.png» (image).
Thus, the hackers can send the executable files under the guise of harmless pictures. However, when opening disguised «malware» the system will warn the user that the file is a program to run which requires permission. And only in case of receiving malicious code will start to create improper conduct on the victim’s computer.
In «Kaspersky Lab» revealed that the vulnerability was used for mining the cryptocurrency at the expense of resources of the PC victims and the establishment of remote control systems. In addition experts found the FTP server of cyber criminals where encrypted contains a local cache Telegram unloaded from the target of attack.