TeleGrab steals swipes Telegram cache and key files

Researchers have discovered a malware in the end-to-end encrypted instant messaging service Telegram that seeks to collect cache and key files from.

Cisco Talos researchers Vitor Ventura and Azim Khodjibaev dubbed the malware Telegrab.

They analyzed two versions of it. The first one, discovered on April 4, 2018, only stole browser credentials, cookies, and all text files it can find on the system. The second one, spotted less than a week later, is also capable of collecting Telegram’s desktop cache and key files and login information for the Steam website.

To steal Telegram cache and key files, the malware is not taking advantage of software flaws. The malware is capable of targeting only the desktop version of the popular messenger because it does not support Secret Chats and does not have the auto-logout feature active by default.

This means that the attacker can use those stolen files to access the victim’s Telegram session, contacts and previous chats.

Telegrab is distributed via a variety of downloaders, and it checks if the victim’s IP address is part of a list that includes Chinese and Russian IP addresses, along with those of anonymity services in other countries. If it is, it will exit.

It also doesn’t have a persistence mechanism, so it won’t work after a system reboot.

The stolen data and files are exfiltrated to one of five pCloud account. They are not encrypted, so technically anyone who has the credentials to those accounts or gets their hands on them can access this information.

“The malware samples analysed are not particularly sophisticated but they are efficient,” the researchers noted.

“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim’s contacts and previous chats are compromised.”