If you are one of Telegram users, you should know that your private conversations might not be private at all. Researchers have recently discovered TeleGrab, a new malicious application that targets Telegram. To be more specific, it should affect only a Desktop version of Telegram, so if you use a mobile app, you should not be affected by it. As analysis conducted by malware analysts has shown, this infection mainly focuses on the collection of the private information from Telegram messaging service. Just like other malicious applications, its entrance is completely illegal, so it is not surprising that cyber criminals manage to steal private details before TeleGrab is found and removed from the affected computer.
TeleGrab was detected for the first time on April 4, 2018. Specifically speaking, specialists monitoring the web for new malicious applications came across its first version at that time. Six days later it became clear that it is not the only available version of this threat – the second version was detected. They slightly differ from each other, but they are both about the collection of the private information. The first version of TeleGrab can steal web browser credentials, cookies, and even valuable text (.txt) files found on the affected computer. As for the second version, unlike the initial one, it can also steal cache and key files from Telegram. Additionally, it might also be used to obtain information from the game platform Steam. The author of TeleGrab has already been identified as well. Malware researchers have found several videos on YouTube uploaded by the TeleGrab developer. These videos provide more detailed information on how to hijack Telegram sessions using the collected files. Also, the TeleGrab author explains how the malicious application can be packaged for further distribution.
According to specialists, it is very likely that TeleGrab targets users who speak Russian primarily, but, of course, there are no guarantees that it will never end up on other users’ computers too. Without a doubt, almost all users who encounter malware keep their PCs unprotected – do not be one of them! As mentioned, TeleGrab is a threat that targets only one – Desktop version – of Telegram. There is a reason why TeleGrab targets this particular version. Unlike other Telegram versions, the Desktop version does not support Secret Chats, which is definitely not some kind of bug. It does not support this feature simply because it is entirely cloud-based. Additionally, it does not have an auto-logout feature. In other words, default settings of the Desktop version of Telegram are weak.
Let’s talk about the distribution of TeleGrab in a more detailed way – we hope the provided information will help some users to prevent this nasty threat from entering their computers and stealing private information from them. As has been observed, the malicious TeleGrab campaign is mainly distributed using downloaders written in Go, AutoIT, Python, and a DotNet-based programming languages. The first version of malware drops the file called finder.exe. It checks the hard drive for available Google Chrome credentials and cookies. It might also collect some .txt files from the affected machine. As for the second malware variant, it launches either enotproject.exe or dpapi.exe during execution. Most probably, the launched executable is responsible for the exfiltration of the stolen data. Then, this data is uploaded to pcloud.com. None of the information is encrypted. Meaning, it can be accessed by anyone who has correct credentials. It might be then downloaded and viewed using Telegram’s Desktop software.
In conclusion, TeleGrab does not exploit any Telegram vulnerability, but it is surely uncommon for malware to collect such details, specialists say. They do not consider TeleGrab a very sophisticated malicious campaign, but according to them, it clearly shows that even a small operation can cause a lot of trouble to users.