The recently discovered, TeleGrab, malware can steal cache data and secure messaging sessions from the desktop version of encrypted messaging service Telegram.
TeleGrab leverages a weak default setting present in the design of Telegram’s desktop version along with the desktop’s lack of support for Secret Chats.
Telegram’s the desktop default version does not support the end-to-end encrypted messaging feature called Secret Chats, and because of this, it’s possible for hackers, to steal Telegram sessions via the program’s cache.
Telegram desktop version represents the ideal place for a cyber attack to strike thanks to the lack of Secret Chats feature and the auto-logout feature which is deactivated by default. These two elements together are what allows the malware to hijack the sessions.
We said it before, and we are saying it now: anything can be hacked and almost every app has flaws. Remember that it is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose the company’s network of revealing its most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.
First, the malware gathers all Telegram cache data and zips it before exfiltrating it after this a hacker restores it into an existing Telegram desktop installation with an open session to access the victims’ contacts and previous chats.
At this moment without a Telegram desktop installation with an open session, there is no tool to decrypt the cache information but not for long because the researchers have found a Github discussion suggesting that it would be possible to develop a tool to decrypt the cache information.
The method presented on Github suggested that hackers can use several pcloud.com hardcoded accounts to store the exfiltrated information when it is not encrypted, meaning that anyone with access to the right credentials will have access to the exfiltrated information.
Another method for hackers is to create a brute-force mechanism that could allow them to get into these encrypted files because the keys used to encrypt the files on Telegram desktop data are stored in the map files, which are encrypted by the password of the victim.
The TeleGrab malware has two versions one that can only steal text files, browser credentials, and cookies and a second variant that can steal Telegram’s desktop cache and Steam login credentials.
The malware is being distributed using multiple downloaders written in different programming languages – Go, AutoIT, Python, and DotNet.
This discovery came after both Russia and Iran have tried to ban the Britain-based messaging app service. TeleGrab targets Russian-speaking victims and is intentionally avoiding IP addresses related with anonymizer services.
Because we want you to stay safe and secured in front of all vulnerabilities like this one, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.