Russian Telegrab Malware Gather Telegram Credentials, Cookies, Desktop Cache, and Critical Files
Security experts at the Cisco Talos Group have discovered a new type of malicious software, Telegrab, that attacks desktop-based end-to-end encrypted instant messaging service Telegram.
The analysis shows that the malware was developed by a Russian-speaking attacker and the target victim is a Russian-speaking user. The malicious code captured by the researchers was a variant of the Telegrab malware and was first used on-site on April 4, 2018, to collect cache and key files from the Telegram application. The second version appeared on April 10, 2018. Unlike the first edition, this edition can also obtain the desktop version of Telegram’s cache and mobile login credentials in addition to the text file, browser credentials, and cookies. Telegram session.
“Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.“
Talos researchers have discovered that malicious code intentionally avoids IP addresses associated with anonymous services. Behind-the-scenes attackers use multiple pcloud.com hard-coded accounts to store confidential data, and the stolen information is not encrypted, leaving anyone accessing these account credentials to obtain compromised data.
“This malware should be considered a wakeup call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.” concludes Talos experts.
“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant.”
“The malware samples analysed are not particularly sophisticated but they are efficient. There are no persistence mechanisms, meaning victims execute the malware every time, but not after reboots”.