Malware is capable of stealing data from a desktop version of Telegram

Telegram's contacts, conversations, and other credentials are at risk

TeleGrab malware steals Telegram's personal data

Researchers have recently discovered a new type of malware which allows hackers to steal information from the desktop version of end-to-end message encrypting[1] app called Telegram. While the first version of malware, dubbed TeleGrab, appeared on 4th of May, the second one showed up on the 10th of the same month. It was reported that it is of a Russian origin and primary targets are Russian-speaking individuals, including few exceptions (malware avoids IP addresses connected to anonymizer[2] service).

While the first variant could only steal text files, browser cookies and credentials (it did not target Telegram specifically), the latest version is focused on collecting data from Telegram's desktop cache. This feature allows malware to hijack active sessions.

Malicious software does not exploit any bugs or vulnerabilities of the Telegram

At the moment, there is no vulnerability found in Telegram app which could be used to exploit the cache and key files. However, security experts report that the malware is successful due to a weak default configuration of the application, especially the desktop version, along with the lack of Secret Chats function. These two aspects allow malware to exploit these features and enable hackers to steal valuable data, including conversations.

As Telegram explains, Secret Chats are not supported on Telegram Desktop and Telegram Web. The main reason for that is that these variants are cloud-based and Secret Chats feature requires permanent storage on the device.

There is no information regarding mobile version of the application. At the moment, it is known as not affected by the malware.

TeleGrab's research and security experts' findings

The malware was discovered and observed by security researchers Vitor Ventura and Azim Khodjibaev at Cisco Talos. The team had been observing malware's function and development for over six weeks and shared their detailed findings in their blog post.[3]

During the investigation, they found several Youtube videos online which contained the information on how to use victims' withdrawn Telegram data to steal their sessions. Talos reports the following:

In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open. It will be possible to access the victims session, contacts and previous chats.

Inevitably, these videos were linked to TeleGrab malware. Their author, naming himself as Racoon Hacker or Eyenot/Enot, is a native Russian speaker and is interested in Phyton programming language. Despite not being an active user, he is clearly interested in account hijackings and payload loader augmentation as all of his videos are connected to these topics.

TeleGrab's operation

TeleGrab is distributed via malicious executable files written in Go, Python and AutoIT coding languages. The first version of malware drops an executable called finder.exe which is set to search for the browsing cookie information and .txt files on the system. The second variant is distributed via self-extracting RAR file which then executes either enotproject.exe or dpapi.exe on the system. This allows TeleGrab to snatch data and credentials not only from Telegram but also from a popular gaming platform Steam.

The stolen data is stored on hardcoded[4] accounts. Unfortunately, none of the information is encrypted and can be accessed by anybody who possesses the knowledge of correct credentials. Despite being a minimal threat in comparison to huge botnet networks and other serious data breaches,[5] this is a clear example how low-profile hacker can abuse certain features and acquire personal information of millions users.

Regarding the current events, security researchers at Talos have been urging users to take actions:

Although it's not exploiting any vulnerability, it is rather uncommon to see malware collecting this kind of information. This malware should be considered a wake up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions