searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
May 17, 2018
Share

Telegrab: Russian malware hijacks Telegram sessions

Researchers have discovered and analyzed an unusual piece of malware that, among other things, seeks to collect cache and key files from end-to-end encrypted instant messaging service Telegram.

The malware’s capabilities

Cisco Talos researchers Vitor Ventura and Azim Khodjibaev dubbed the malware Telegrab.

They analyzed two versions of it. The first one, discovered on April 4, 2018, only stole browser credentials, cookies, and all text files it can find on the system. The second one, spotted less than a week later, is also capable of collecting Telegram’s desktop cache and key files and login information for the Steam website.

To steal Telegram cache and key files, the malware is not taking advantage of software flaws. The malware is capable of targeting only the desktop version of the popular messenger because it does not support Secret Chats and does not have the auto-logout feature active by default.

This means that the attacker can use those stolen files to access the victim’s Telegram session (if the session is open), contacts and previous chats.

Telegrab is distributed via a variety of downloaders, and it checks if the victim’s IP address is part of a list that includes Chinese and Russian IP addresses, along with those of anonymity services in other countries. If it is, it will exit.

It also doesn’t have a persistence mechanism, so it won’t work after a system reboot.

The stolen data and files are exfiltrated to one of five pCloud accounts (pCloud is a Switzerland-based cloud storage solution). They are not encrypted, so technically anyone who has the credentials to those accounts or gets their hands on them can access this information.

“The malware samples analysed are not particularly sophisticated but they are efficient,” the researchers noted.

“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim’s contacts and previous chats are compromised.”

They also pointed out that the malware should be considered a wake up call to encrypted messaging systems users. “Features which are not clearly explained and bad defaults can put in jeopardy their privacy,” they pointed out.

About Telegrab’s creator

The researchers are pretty confident that the creator of the malware is a native Russian speaker that goes online by “Racoon Hacker” or “Eyenot”.

malware hijacks Telegram

This individual posted online a number of posts and videos that relates to other account hijackers or development of payload loaders, shows how to steal Telegram sessions, etc. Information gleaned from these videos point to Racoon Hacker/Eyenot, who is also very active on Russian hacking forums and has a GitHub account.

More about
  • account hijacking
  • cybercrime
  • malware
  • secure communications
  • Telegram
Share this

Featured news

  • Signal takes a quantum leap with E2EE protocol upgrade
  • Telecom firms hit with novel backdoors disguised as security software
  • Fake WinRAR PoC spread VenomRAT malware
CIS Benchmarks Communities: Where configurations meet consensus

Sponsored

eBook: 9 Ways to Secure Your Cloud App Dev Pipeline

Free entry-level cybersecurity training and certification exam

Guide: Attack Surface Management (ASM)

Don't miss

Signal takes a quantum leap with E2EE protocol upgrade

Telecom firms hit with novel backdoors disguised as security software

Fake WinRAR PoC spread VenomRAT malware

Critical Trend Micro vulnerability exploited in the wild (CVE-2023-41179)

How to set up and speed up Amazon S3 Replication for cross-region data replication

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us