A new type of malicious software dubbed TeleGrab has been discovered recently by researchers at Cisco Talos. No, it does not target ordinary users’ computers and personal data on them. Instead, it targets a cloud-based instant messaging service called Telegram. An in-depth analysis conducted by specialists has clearly shown that this malicious application primarily targets victims who speak Russian. In addition, it has been observed that it avoids IP addresses associated with the so-called anonymizer services. It should be noted that two different versions of the same malicious application exist. The first one was detected on the 4th of April, 2018, whereas the second one was discovered in the wild on the 10th of the same month. They slightly differ from each other, as research has revealed. Let’s look at the key differences between them.
The initial version of TeleGrab can only steal browser credentials and cookies together with some text files. As for the second version of this malicious application, it is also capable of collecting Telegram’s key files, cache, and login credentials used to log into the Steam store. Generally speaking, the latest version of TeleGrab can hijack active sessions too. It should be emphasized that it affects only the desktop version of Telegram, so if you use the mobile version of this application, you should be fine.
As mentioned in the previous paragraph, TeleGrab has been designed to affect only the desktop version of Telegram. It does not support Secret Chats and usually has weaker default settings. Why such a feature does not exist on the desktop version? The main reason why it is so is the fact that it requires permanent storage on the device, and Telegram Desktop does not support this right now since it is an entirely cloud-based service. Since TeleGrab affects the desktop version of Telegram due to the absence of the specific feature and weak settings, it would not be true if we told you that it exploits some kind of Telegram vulnerability. No bugs were found in the application as well.
During their investigation, researchers have managed to identify the threat actor behind TeleGrab. It is the hacker that uses nicknames Racoon Hacker and Eyenot. Specifically speaking, specialists have found videos with instructions on how to hijack Telegram sessions using stolen Telegram cache files. It seems that by restoring both cache and map files, it may be possible to access victims’ sessions, chats, and even contacts. Luckily, it is not so easy to do this. Experts at Cisco Talos say that a tool that could be used to decrypt cache information is not available for the time being, but, of course, there is a possibility that it will be developed in the future. Talking about the accessibility of map files, the so-called brute-force mechanism that would allow hackers to get into them might be created without many difficulties as well.
What about the TeleGrab distribution? This malicious application is mainly distributed using downloaders written in several different coding languages. Cisco Talos specialists have managed to find three different languages – Go, AutoIT, and Python. Also, they have come across a DotNet-based prototype version. Once the malicious application is downloaded, its first variant uses finder.exe, whereas the second one is spread via a self-extracting .rar file. After the execution, the first variant of TeleGrab goes to search for Google Chrome credentials and cookies. In addition, it finds .txt files present on the system. As for the second one, it drops additional executables enotproject.exe or dpapi.exe in order to access Telegram and Steam data and, later on, use it to hijack the session. The latter executable file is responsible for the exfiltration of the stolen data as well. Once the Telegram information is exfiltrated, it is uploaded to pcloud.com. This information is not encrypted in any way, meaning that anybody who has correct credentials can download it and then access it using Telegram’s desktop software.
Even though TeleGrab is not as dangerous as some other threats, e.g. large bot networks, it might still be able to hijack the Telegram session and thus compromise private users’ contacts and chats. Specialists at Cisco Talos say that “this malware should be considered a wake-up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put their privacy in jeopardy.”
References:
- Free stock photos. Pexels
- Osborne, C. Telegrab malware hijacks Telegram desktop sessions. ZDNet
- Ventura, V. and A. Khodjibaev. TeleGrab – Grizzly Attacks on Secure Messaging. Cisco Talos blog.