TELEGRAB MALWARE STEALS TELEGRAM DESKTOP MESSAGING SESSIONS, STEAM CREDENTIALS
Recently discovered malware steals cache data and secure messaging sessions from the desktop version of encrypted messaging service Telegram.
The malware, dubbed TeleGrab, leverages weak default settings in the design of Telegram’s desktop version along with the desktop’s lack of support for Secret Chats, according to researchers with Cisco’s Talos team.
Unlike the mobile version of Telegram, the desktop default version does not offer the end-to-end encrypted messaging feature called Secret Chats. Because this feature doesn’t exist, the desktop version makes it possible for hackers, who have access to a target’s computer, to “hijack” Telegram sessions via the program’s cache, according to researchers.
“The malware abuses the lack of Secret Chats which is a feature, not a bug,” wrote researchers a technical description of the malware posted Wednesday. “Telegram desktop by default doesn’t have the auto-logout feature active. These two elements together are what allows the malware to hijack the session and consequently the conversations.”
That lack of encryption is something Telegram is open about in its FAQ:
“Secret chats require permanent storage on the device, something that Telegram Desktop and Telegram Web don’t support at the moment. We may add this in the future.”
The malware gathers all Telegram cache data and zips it before exfiltrating the data. By restoring cache and map files into an existing Telegram desktop installation with an open session, an attacker can then access the victims’ contacts and previous chats, researchers said.
“The data collected from infected systems could allow an attacker to hijack Telegram sessions simply by restoring the cache and map files into an existing attacker-controlled Telegram desktop installation,” Talos researcher Edmund Brumaghin told Threatpost. “This effectively provides the attacker the ability to access the victim’s sessions, contacts, and previous chats.”
Source | threatpost
