Kaspersky Lab researchers Anton Ivanov and Fedor Sinitsyn spotted what they are calling the first encryption malware to exploit the Telegram protocol.
The researchers said the trojan is written in Delphi, is over 3MB in size, and generates a file encryption key after launching along with and an infection ID, according to a Nov. 8 blog post. The malware then contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot by using the public API to communicate with its creators.
Once the malware has sent the information to its creator, it searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes, the researchers said in the post.
“We think that using Telegram API to send information from the victim to the threat actor is the most interesting feature of this malware,” Anton Ivanov, senior malware analyst at Kaspersky Lab, told SC Media via emailed comments.
Like that of similar malware, the motive of the Telegram crypt is to earn money for its creators with the help of ransomware, the researchers said. “The main unique feature of this malware is that it is using telegram API to send information, which the threat actor needs for decryption,” Ivanov said.
He added that the researchers don’t believe threat actor who created this malware is very skilled because the actor used a very simple encryption algorithm for file encryption. He recommended that users ensure that they don’t open any files from untrusted sources.