Researchers have revealed new malware designed to collect information from messaging service Telegram.
On Wednesday, Cisco Talos researchers Vitor Ventura and Azim Khodjibaev said that over the past six weeks, the team has monitored the emergence of what has been called Telegrab.
This malware has been designed to collect cache and key files from Telegram, an end-to-end encrypted messaging service.
The malicious code was first spotted in the wild on 4 April 2018, and a second variant emerged only six days later.
While the first version of Telegrab only stole text files, browser credentials, and cookies, the second also added new functionality which allowed the malware to collect data from Telegram’s desktop cache — alongside Steam login credentials — in order to hijack active Telegram sessions.
“Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow the session hijacking and with it, the victims’ contacts and previous chats are compromised,” the team says.
The malware impacts the desktop version of Telegram. However, it is not a security vulnerability that is at fault.
Cisco Talos blames “weak default settings” on this version of the chat service, and the malware also abuses the lack of Secret Chats — which is not available on desktop.
“The malware abuses the lack of Secret Chats which is a feature, not a bug,” Talos added. “Telegram desktop by default doesn’t have the auto-logout feature active. These two elements together are what allows the malware to hijack the session and consequently the conversations.”
Telegram says within its FAQ sheet:
“Secret chats require permanent storage on the device, something that Telegram Desktop and Telegram Web don’t support at the moment. We may add this in the future. Currently, both the desktop and the web app load messages from the Cloud on startup and discard them when you quit.
Since secret chats are not part of the cloud, this would kill all your secret chats each time you shut down your computer.”
Investigating how the malware operates led the team towards who they believe to be the threat actor behind Telegrab with “high confidence.” The malware author appears to be a user that goes under the names of “Racoon Hacker” and “Eyenot.”
Several YouTube videos which are believed to have been posted by Eyenot instruct watchers on how to hijack Telegram sessions using the stolen cache files.
“In summary, [it is possible] by restoring cache and map files into an existing Telegram desktop installation, if the session was open,” the team says. “It will be possible to access the victims’ session, contacts, and previous chats.”
The operator behind this malware uses hardcoded pcloud.com accounts to store exfiltrated information. This data is not encrypted and so if a visitor has the correct credentials, they can download all of the information on offer and then access the stolen data through Telegram’s desktop software.
According to Talos, the malware is generally targeting Russian-speaking victims.
Telegrab is being distributed through downloaders written in at least three different programming languages — Go, AutoIT, and Python — as well as a prototype version based on DotNet.
Once downloaded, the first malware variant uses an executable called finder.exe, whilst the second is distributed through a .RAR self-extracting file.
When the malware is executed, Telegrab will search for Chrome browser credentials and session cookies for the default user, as well as any .txt files present on the system.
The second variant will also drop and execute additional executables, enotproject.exe or dpapi.exe, in order to find and exfiltrate Telegram and Steam-related data, as well as potentially hijack a Telegram session.
Telegrab will also check a victim’s IP address. If the IP address is on a blacklist which contains a selection of addresses from China, Russia, and anonymity services, the malware will exit and abandon efforts to steal data.
There is no persistence mechanism, and so it seems the operators are only interested in smash-and-grab data theft.
“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant,” the researchers say. “However, this shows how a small operation can fly under the radar and compromise thousands of credentials in less than a month, having a significant impact on the victim’s privacy.”
ZDNet has reached out to Telegram and will update if we hear back.