Kaspersky Lab, one of the leading cybersecurity firms and anti-virus software development firms, has reported that Bitcoin mining malware was distributed through the desktop application of widely utilized messaging app Telegram.
In an official statement, researchers at Kaspersky Lab confirmed that malware was distributed by attackers targeting Russian telegram users, by distributing images of kittens in the form of JavaScript files.
Desktops infected
The files were titled as png files, to deceive users and trick Telegram users to download the malware and run it. Once malware was exposed to a desktop device, it began to execute several operations, including mining cryptocurrencies like Bitcoin.
The vulnerability was detected only in the Telegram Windows client, not in mobile apps. Our experts discovered not only its existence but also that attackers were actively using it. Victims’ operating systems should warn them if they are about to run an executable from an unknown source, which ought to set off some alarm bells, but many people click Run without looking at the message,
The Kaspersky Lab team further noted that the malware had two payloads or two distinct operations. The first payload installed a hidden cryptocurrency miner, mining Bitcoin with the computer, slowing down and overheating the device. The second payload allowed hackers to gain full access to the device and execute any operation, such as removing or installing more programs and malware and obtaining sensitive information.
The second payload of the miner could have allowed hackers to gain sensitive financial information such as locally stored cryptocurrency wallet private keys or backup codes.
Disguised files
However, Telegram emphasized that the malware was not distributed due to an internal issue of the Telegram desktop app or vulnerability. The malware was only executed if Telegram users clicked on the JavaScript file disguised as an image PNG file. As such, the malware could have been distributed through any other messaging application.
This is not a real vulnerability on Telegram Desktop, no one can remotely take control of your computer or Telegram unless you open a (malicious) file,
the Telegram team told Reuters.
Malware targeting cryptocurrency wallet users and desktops to mine cryptocurrencies like Bitcoin have been in existence since early 2017. In November, a new form of malware circulated around the web, that autonomously installed itself to devices and changed Ethereum wallet addresses on the clipboard to a different address.
Ethereum addresses
The malware kept a list of thousands of Ethereum addresses, and once an address was copied to the clipboard by the owner of the device, it autonomously changed the address to an external address, redirecting funds to hackers and developers of the malware.
One victim of the wallet address modifying malware wrote:
[I copied the] Ethereum address from MyEtherWallet, pasted into notepad. It changed it right on the spot. Maybe I didn't copy right? Copy paste again, same address. Maybe my clipboard isn't flushing? Copy other text on the screen and paste, that works copy address again and paste, that same different address appears! Something funky with MyEtherWallet? Open up Firefox, go to my wallet, copy-paste. THAT works fine. This is on my end.
Users of messaging applications have to take additional measures in dealing with attachments and files, to ensure that no malware penetrates into their devices.