Telegrab malware hijacks Telegram desktop sessions

Posted on May 17, 2018

Telegrab malware hijacks Telegram desktop sessions

Researchers have revealed new malware designed to collect information from messaging service Telegram. On Wednesday, Cisco Talos researchers Vitor Ventura and Azim Khodjibaev said that over the past six weeks, the team has monitored the emergence of what has been called Telegrab. This malware has been designed to collect cache and key files from Telegram, an end-to-end encrypted messaging service.

The malicious code was first spotted in the wild on 4 April 2018, and a second variant emerged only six days later. While the first version of Telegrab only stole text files, browser credentials, and cookies, the second also added new functionality which allowed the malware to collect data from Telegram’s desktop cache — alongside Steam login credentials — in order to hijack active Telegram sessions. The malware impacts the desktop version of Telegram.

However, it is not a security vulnerability that is at fault. Cisco Talos blames ‘weak default settings’ on this version of the chat service, and the malware also abuses the lack of Secret Chats — which is not available on desktop. The operator behind this malware uses hardcoded accounts to store exfiltrated information.

This data is not encrypted and so if a visitor has the correct credentials, they can download all of the information on offer and then access the stolen data through Telegram’s desktop software.