Windows Telegram IM client 0-Day Used to Spread Monero and Zcash Mining Malware

[LASER_oneXM]

Malware authors have used a zero-day vulnerability in the Windows client for the Telegram instant messaging service to infect users with cryptocurrency mining malware, researchers from Kaspersky Lab plan to reveal today.

The zero-day has been fixed in the meantime, but Kaspersky researcher Alexey Firsh says crooks appear to have used the flaw for months before he discovered it last October.

Users got backdoors, spyware, but mostly miners
Users clicked and ran the file thinking it was an image, but in reality, they executed a JavaScript file that downloaded and installed malware on their system.

In the campaigns Firsh was able to track down, crooks used the Telegram zero-day to install malware that secretly mined cryptocurrency on users' computers. The crooks focused their efforts on mining Monero, Zcash, and Fantomcoin primarily.

Frish also discovered cases where crooks installed a backdoor trojan (controllable via the Telegram API) and other spyware tools, but in most cases, the malware authors focused on deploying crypto-mining malware.

Telegram zero-day exploited only in Russia
The zero-day vulnerability is not really that innovative and works based on an old trick, known for at least half a decade, first detailed in a 2013 F-Secure report.

According to Firsh, the zero-day saw limited use and was only exploited by a Russian-based actor.