Recently discovered malware steals cache data and secure messaging sessions from the desktop version of encrypted messaging service Telegram.
The malware, dubbed TeleGrab, leverages weak default settings in the design of Telegram’s desktop version along with the desktop’s lack of support for Secret Chats, according to researchers with Cisco’s Talos team.
Unlike the mobile version of Telegram, the desktop default version does not offer the end-to-end encrypted messaging feature called Secret Chats. Because this feature doesn’t exist, the desktop version makes it possible for hackers, who have access to a target’s computer, to “hijack” Telegram sessions via the program’s cache, according to researchers.
“The malware abuses the lack of Secret Chats which is a feature, not a bug,” wrote researchers a technical description of the malware posted Wednesday. “Telegram desktop by default doesn’t have the auto-logout feature active. These two elements together are what allows the malware to hijack the session and consequently the conversations.”
That lack of encryption is something Telegram is open about in its FAQ:
“Secret chats require permanent storage on the device, something that Telegram Desktop and Telegram Web don’t support at the moment. We may add this in the future.”
The malware gathers all Telegram cache data and zips it before exfiltrating the data. By restoring cache and map files into an existing Telegram desktop installation with an open session, an attacker can then access the victims’ contacts and previous chats, researchers said.
“The data collected from infected systems could allow an attacker to hijack Telegram sessions simply by restoring the cache and map files into an existing attacker-controlled Telegram desktop installation,” Talos researcher Edmund Brumaghin told Threatpost. “This effectively provides the attacker the ability to access the victim’s sessions, contacts, and previous chats.”
That said, “to the best of Talos’ knowledge, there is no tool to decrypt the cache information,” the researchers wrote. However, they found a Github discussion suggesting that it would be possible to develop a tool to decrypt the cache information.
The malware operators can use several pcloud.com hardcoded accounts to store the exfiltrated information. That information is not encrypted, meaning that anyone with access to the right credentials will have access to the exfiltrated information, said researchers.
“The keys used to encrypt the files on Telegram desktop data are store in the map files, which are encrypted by the password of the user,” researchers wrote. “Assuming that the attacker does not have the password for these files, it would not be hard for them to create a brute-force mechanism that could allow them to get into these files.”
The malware was first spotted on April 4, 2018 and only stole text files, browser credentials, and cookies. A second variant emerged on April 10 that upped the ante, stealing Telegram’s desktop cache as well as Steam login credentials.
The campaign is being distributed using multiple downloaders written in different programming languages – Go, AutoIT, Python – and a prototype for a fourth one (DotNet). Researchers said that they have also spotted several YouTube videos with instructions for using victims’ Telegram information to hijack their sessions. They linked these videos to the attacker behind the malware.
The news comes after both Russia and Iran have tried to ban the Britain-based messaging app service. Cisco said that TeleGrab targets Russian-speaking victims, and is intentionally avoiding IP addresses related with anonymizer services.
“Although it’s not exploring any vulnerability, it is rather uncommon to see malware collecting this kind of information,” Cisco Talos said. “This malware should be considered a wake-up call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy [their] privacy.”