Researchers last month detected a new malware that steals not only browser credentials, browser cookies and text files, but also cache and key files from the desktop version of end-to-end encrypted instant messaging service Telegram.
Moreover, the culprit behind the malware has also been linked to several posted YouTube videos that contain instructions for using victims’ exfiltrated Telegram information to hijack their sessions. “In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open, it will be possible to access the victim’s session, contacts and previous chats,” explains Talos senior security researcher Vitor Ventura in the post. (Talos senior intelligence analyst Azim Khodjibaev also contributed to the report). “Talos believes with high confidence the author of the video and the author of the malware are the same.”
The original version of TeleGrab, which popped up on Apr. 4, did not target Telegram, but by Apr. 10 a newer variant included this functionality, along with the ability to steal login information for the Steam gaming website. Rather than exploiting a Telegram vulnerability to swipe cache and key files, the malware instead simply abuses weak default security settings in the app’s desktop version.
The malware specifically capitalizes on two issues: First, the cloud-based desktop version is unable to support Secret Chats, which are not stored in the Telegram cloud, and can only be accessed on their devices of origin, where they are permanently stored. And second, Telegram for desktop machines does not offer the auto-logout feature active.
Although the YouTube tutorial video claims that the stolen Telegram information can enable hijacked Telegram session, Ventura notes that there is no known tool at this time that can decrypt Telegram cache information – although in theory one could perhaps be developed. On the other hand, Ventura says it is possible to use a brute-force attack to break the encryption of stolen map files, which contain the keys used to encrypt the files on Telegram desktop data.
“Even with limitations this attack does allow the session hijacking and with it the victims contacts and previous chats are compromised,” Ventura writes. “Although it’s not exploring any vulnerability, it is rather uncommon to see malware collecting this kind of information. This malware should be considered a wake up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy they privacy.”
Although Russian-speakers are its primary targets, Talos did notice that TeleGrab avoids avoiding certain blacklisted Russian and Chinese IP addresses, as well as IP addresses associated with anonymizer services. Talos notes that the malware is distributed using downloaders written in various coding languages as well as, in the case of variant two, via a RAR self-extractable file.
Analysis of these delivery mechanisms downloaders resulted in the discovery of the Go-based malicious executable finder.exe, which is the component designed to search hard drives for Chrome browser credentials and session cookies, and text files. Variant two also includes a Python-based stub executable with the name enotproject.exe or dpapi.exe, which is the component enables the Telegram and Steam-based data exfiltration. Stolen information is sent to the pcloud.com cloud storage service.
Researchers also found a third version of the malware wrapped in a py2exe executable.
Talos reports with “high confidence” that the malware author goes by multiple aliases including “Racoon Hacker,” “Eyenot” and “Racoon Pogoromist,” and appears to be a native Russian speaker who is adept in Python-based programming.
“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant. However, this shows how a small operation can fly under the radar and compromise thousands of credentials in less than a month, having a significant impact on the victim’s privacy,” Ventura concludes. “These credentials and cookies allow the malware operator to access the victims information on websites like, vk.com, yandex.com, gmail.com, google.com, etc.”