searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
May 17, 2018
Share

Telegrab: Russian malware hijacks Telegram sessions

Researchers have discovered and analyzed an unusual piece of malware that, among other things, seeks to collect cache and key files from end-to-end encrypted instant messaging service Telegram.

The malware’s capabilities

Cisco Talos researchers Vitor Ventura and Azim Khodjibaev dubbed the malware Telegrab.

They analyzed two versions of it. The first one, discovered on April 4, 2018, only stole browser credentials, cookies, and all text files it can find on the system. The second one, spotted less than a week later, is also capable of collecting Telegram’s desktop cache and key files and login information for the Steam website.

To steal Telegram cache and key files, the malware is not taking advantage of software flaws. The malware is capable of targeting only the desktop version of the popular messenger because it does not support Secret Chats and does not have the auto-logout feature active by default.

This means that the attacker can use those stolen files to access the victim’s Telegram session (if the session is open), contacts and previous chats.

Telegrab is distributed via a variety of downloaders, and it checks if the victim’s IP address is part of a list that includes Chinese and Russian IP addresses, along with those of anonymity services in other countries. If it is, it will exit.

It also doesn’t have a persistence mechanism, so it won’t work after a system reboot.

The stolen data and files are exfiltrated to one of five pCloud accounts (pCloud is a Switzerland-based cloud storage solution). They are not encrypted, so technically anyone who has the credentials to those accounts or gets their hands on them can access this information.

“The malware samples analysed are not particularly sophisticated but they are efficient,” the researchers noted.

“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim’s contacts and previous chats are compromised.”

They also pointed out that the malware should be considered a wake up call to encrypted messaging systems users. “Features which are not clearly explained and bad defaults can put in jeopardy their privacy,” they pointed out.

About Telegrab’s creator

The researchers are pretty confident that the creator of the malware is a native Russian speaker that goes online by “Racoon Hacker” or “Eyenot”.

malware hijacks Telegram

This individual posted online a number of posts and videos that relates to other account hijackers or development of payload loaders, shows how to steal Telegram sessions, etc. Information gleaned from these videos point to Racoon Hacker/Eyenot, who is also very active on Russian hacking forums and has a GitHub account.




More about
  • account hijacking
  • cybercrime
  • malware
  • secure communications
  • Telegram
Share this

Featured news

  • The challenges and advantages of building behavior-based threat detection
  • Product showcase: Group-IB Unified Risk Platform
  • How businesses are prioritizing data privacy
Detection, isolation, and negotiation: Improving your ransomware preparedness and response

What's new

New infosec products of the week: July 1, 2022

Product showcase: Group-IB Unified Risk Platform

The challenges and advantages of building behavior-based threat detection

Infosec products of the month: June 2022

Don't miss

The challenges and advantages of building behavior-based threat detection

Product showcase: Group-IB Unified Risk Platform

Evaluating the use of encryption across the world’s top one million sites

Evolving online habits have paved the way for fraud. What can we do about it?

How businesses are prioritizing data privacy

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • OT security: Helping under-resourced critical infrastructure organizations
  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise