Security researchers have discovered a new variant of Telegrab malware which is capable of stealing information from the desktop version of instant messaging service Telegram.
Security researchers have discovered a new variant of Telegrab malware which is capable of stealing information from the desktop version of instant messaging service Telegram. The new variant was spotted by Researchers from Cisco Talos group on April 10, 2018, and said that malware collects cache and key files from end-to-end encrypted instant messaging service Telegram.
Read more on: SMASHINGCOCONUT Malware Shares many Resemblance with Malware used in Sony Cyber AttackEarlier the first version which was discovered on April 4, 2018, only stole browser credentials, browser cookies and all text files it found on the system. Researchers said they have identified the author behind this attack who has posted several tutorial videos on youtube for the Telegrab malware. The attacker uses several pcloud.com hardcoded accounts to store the exfiltrated data. The attacker does not encrypt the stolen data which means anyone with access to this credentials can access the exfiltrated data. The Telegrab malware does not exploit any vulnerability in Telegram instead it utilizes the weak default setting of the desktop version of Telegram.
You may be interested in reading: New Variant of SynAck Ransomware uses the Doppelgänging techniqueThe malware abuses the lack of secret chat and auto logout feature in the desktop version of Telegram. “The malware abuses the lack of Secret Chats which is a feature, not a bug. Telegram desktop by default doesn't have the auto-logout feature active. These two elements together are what allows the malware to hijack the session and consequently the conversations.” The Telegrab malware works by restoring the cache and map files into an existing Telegram desktop installation if the session was open. The attacker can access the victim’s session, contacts, and previous chats. According to analysis, the researchers were able to link the malware to a user who goes by online handle name Racoon Hacker, also known as Eyenot (Енот / Enot) and Racoon Pogoromist (sic) and appears to be a native Russian speaker. The malware is mainly targeting Russian speaking users and is intentionally avoiding IP addresses related to anonymizer services.“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim's contacts and previous chats are compromised. Although it's not exploiting any vulnerability, it is rather uncommon to see malware collecting this kind of information. This malware should be considered a wake up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy” said in the blog post published by Cisco Talos group.