Researchers have discovered a new malware named TeleGrab, designed to steal chat sessions, contacts and previous chat data from the desktop and Web-based versions of the messaging service Telegram. The malware works to collect cache and key files from the end-to-end encrypted messaging service. According to Cisco Systems Talos threat intelligence team, the malware appears to be Russian and primarily targets Russian-speaking victims.
The first version of Telegrab was initially spotted on 4th April 2018 that was capable of stealing only text files, browser credentials, and cookies. However, a second variant was released just six days later and included a new feature that allows it to collect data from Telegram desktop cache and Steam login credentials, enabling the attacker to hijack active Telegram chat sessions.
The malware is being distributed using various downloaders written in at least three programming languages - Go, AutoIT, Python - and a prototype for DotNet. Once downloaded, the first malware variant used an executable called finder.exe while the second variant was distributed using a .RAR self-extracting file. Once executed, it searches for Chrome browser credentials and session cookies for the default user as well as any text files on the victim's computer. In the second variant,The malware delivers an additional executable namely enotproject.exe or dpapi.exe.
The finder.exe executable exfiltrates the collected data and uploads it to a pcloud.com website. Researchers noted that the exfiltrated data is not encrypted, which means anyone who has the credentials to the pcloud.com account can easily access the stolen data.
Meanwhile, the additional enotproject.exe or dpapi.exe executables present in the second Telegrab variant are responsible for finding and harvesting Telegram and Steam-related data in addition to the ability to hijack a Telegram session. This variant was first spotted in the wild on April 10, 2018.
TeleGrab also checks if the victim’s IP address is part of a list and will immediately exit and abandon its malicious efforts if it is included. This list includes Chinese and Russian IP addresses as well as anonymity services in other countries.
Telegram’s cloud-based desktop version does not have an auto-logout feature or a secret chat feature, allowing threat actors to capitalize on this omission and hijack sessions and conversations, Talos researchers noted.
“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim's contacts and previous chats are compromised,” researchers noted. “Although it's not exploiting any vulnerability, it is rather uncommon to see malware collecting this kind of information. This malware should be considered a wake up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.”
Based on several instructional YouTube videos published by a malware actor about hijacking Telegram sessions using stolen cache files, Cisco Talos believes with “high confidence” that the author of the video is also the malware author - a user who goes by the monikers “Racoon Hacker” and “Eyenot”. Researchers said the user is likely native Russian speaker who has advanced understanding of the Python programming language.
"When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant,” Cisco Talos senior security researcher Victor Ventura noted. “However, this shows how a small operation can fly under the radar and compromise thousands of credentials in less than a month, having a significant impact on the victim's privacy.”