Russian Malware Compromises Telegram Chats

Newly discovered malware has taken advantage of security weaknesses in the desktop client used by the Telegram encrypted communications service to steal previous chats and other information.

While the “TeleGrab” malware has not so far operated on a large scale, researchers at Cisco’s Talos security group said it should be a “wake-up call” for individuals using encrypted communications programs.

“Features which are not clearly explained and bad defaults can put in jeopardy their privacy,” wrote Cisco’s Vitor Ventura and Azim Khodjibaev in an advisory. “This shows how a small operation can fly under the radar and compromise thousands of credentials in less than a month.”

The researchers discovered two versions of TeleGrab in April, one of which only looked for Chrome browser cookies and session credentials, along with text files. The second added the ability to collect cache and key files for the Telegram desktop application.

Credit: Cisco Talos

Session hijack

“This attack does allow session hijacking and with it the victim’s contacts and previous chats are compromised,” Ventura and Khodjibaev wrote.

The malware doesn’t exploit a vulnerability in Telegram, instead taking advantage of the fact that the desktop version of the client doesn’t support Secret Chats, which are end-to-end encrypted, and settings that don’t log the user out by default.

“These two elements together are what allows the malware to hijack the session and consequently the conversations,” the Cisco advisory said.

They added that the technique doesn’t affect encrypted conversations on the mobile platform.

Cisco found a tutorial video explaining how to use the information stolen by TeleGrabber to hijack Telegram sessions, “by restoring cache and map files into an existing Telegram desktop installation, if the session was open”.

When that is done it is possible to access the target’s session, contacts and previous chats.

Cisco said it doesn’t know of a tool for decrypting the information, but said “it would not be hard” to create one.

Russian hacker

Telegram was founded by Russian entrepreneur Pavel Durov, and based on the instructional video Cisco said it believes the hacker is a native Russian speaker.

Cisco found various online postings in hacker forums related to the malware, including a video posted on the Russian site lolzteam.net called “Telegram breaking in 2018”.

The video was posted with the username “Raccoon Pogromist”, Cisco said.

The malware is being distributed via several different downloaders, according to the advisory, which outlined ways security software can be set up to block the attack.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

1 hour ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

2 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

3 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

5 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

7 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

8 hours ago