Researchers have revealed new malware designed to collect information from the Telegram messaging service.
Cisco researchers Talos Vitor Ventura and Azim Khodjibaev said on Wednesday that over the past six weeks, the team has followed the emergence of what has been called Telegrab.
This malware has been designed to collect the cache and key files of Telegram, an end-to-end encrypted messaging service.
The malicious code was first spotted in the wild on April 4, 2018, and a second variant did not appear until six days later.
While the first version of Telegrab only stole text files, browser credentials, and cookies, the second also added a new feature that allowed malware to collect data from Telegram’s desktop cache – alongside Steam login details – in order to hijack active Telegram sessions.
“Telegram session hijacking is the most interesting feature of this malware, even with limitations, this attack allows session hijacking and with it, victims’ contacts and previous conversations are compromised,” the team said. .
The malware impacts the desktop version of Telegram. However, it is not a security breach that is involved.
Cisco Talos assigns “weak defaults” to this version of the chat service, and the malware also abuses the lack of secret chats – which are not available on the desktop.
“The malware abuses the lack of secret chats which is a feature, not a bug,” Talos added. “Telegram Desktop by default does not have the auto-disconnect feature active. These two elements together are what allows malware to hijack the session and therefore the conversations.”
Telegram says in its FAQ sheet:
“Secret chats require permanent storage on the device, which Telegram Desktop and Telegram Web do not currently support. We may add this in the future. Currently desktop and web application are loading messages. from the cloud on startup and throw them away when you exit.
Since secret chats are not part of the cloud, it would kill all of your secret chats every time you shut down your computer. “
The investigation into the functioning of the malware led the team to whom they believe is the threat actor behind Telegrab with “great confidence.” The author of the malware appears to be a user by the names of “Racoon Hacker” and “Eyenot”.
Several YouTube videos allegedly posted by Eyenot tell observers how to hijack Telegram sessions using the stolen cache files.
“In summary, [it is possible] by restoring the cache and map files to an existing Telegram desktop installation, if the session was open, “the team said.” It will be possible to access the victims’ previous session, contacts and chats. “
The operator behind this malware uses hard-coded pcloud.com accounts to store exfiltrated information. This data is not encrypted and therefore if a visitor has the correct credentials, they can download all the information offered and then access the stolen data through Telegram’s desktop software.
According to Talos, the malware typically targets Russian-speaking victims.
Telegrab is distributed through downloaders written in at least three different programming languages - Go, AutoIT and Python – as well as a prototype version based on DotNet.
Once downloaded, the first variant of the malware uses an executable called finder.exe, while the second is distributed via a self-extracting .RAR file.
When the malware is executed, Telegrab searches for Chrome browser credentials and session cookies for the default user as well as any .txt files present on the system.
The second variant will also remove and run additional executables, enotproject.exe or dpapi.exe, in order to find and exfiltrate Telegram and Steam related data, as well as potentially hijack a Telegram session.
Telegrab will also verify the IP address of a victim. If the IP address is on a blacklist that contains a selection of addresses from China, Russia, and anonymity services, the malware will stop and abandon efforts to steal data.
See also: GDPR: a boon for privacy or stifling regulation? Companies weigh
There is no persistence mechanism, so it seems that operators are only interested in smash-and-grab data theft.
“Compared to the large botnets used by large criminal enterprises, this threat can be considered almost insignificant,” the researchers say. “However, it shows how a small operation can go unnoticed and compromise thousands of credentials in less than a month, which has a significant impact on the victim’s privacy.”
ZDNet has contacted Telegram and will update if we have a response.