‘TeleGrab’ malware again shows how hackers can evade encryption to read private messages

Talos says the malware "should be considered a wake up call to encrypted messaging systems users."

Researchers with Talos, Cisco’s cybersecurity division, have identified malware that allows a hacker to steal information from victims using the messaging service Telegram.

Detailed in a Talos blog post published Wednesday, Talos says the TeleGrab malware targets Russian-speaking victims and is designed to hijack chat sessions and capture contacts and previous chats.

It’s worth noting that the malware only affects Telegram’s desktop and browser client, which does not have the same security features as the mobile app.

“The malware abuses the lack of Secret Chats which is a feature, not a bug,” the researchers write, referring to Telegram’s client-to-client encrypted chat feature.


Telegram’s desktop clients don’t have the feature because they don’t support local storage, according to a Telegram FAQ page. For that reason, Talos says the malware does not exploit any vulnerability.

“The problem is the lack of transparency, users are never warned that by using Telegram Desktop their chats are not as secure as the ones that you may have using the mobile version, when you use the Secret Chat feature,” Vitor Ventura, the report’s author, told CyberScoop by email. “Given that we are talking about a secure messaging application, these kind of facts should be explained to the users upon installation or start-up.”

Ventura said the malware has in fact been used on victims, “gathering thousands of credentials.” The malware is distributed in separate dropper and payload stages, he said. The researchers believe the droppers are distributed via links on forums and social media. But Talos was not able to confirm or get a sample from those sources, Ventura said.

In investigating the malware, the Talos researchers say they came across a tutorial video on YouTube (which has since been removed) explaining how TeleGrab accomplishes its exploit. It’s possible the report says, “by restoring cache and map files into an existing Telegram desktop installation, if the session was open.”

Talos says it identified the malware’s author “with high confidence” based on the video and analysis of the malware’s variants. The suspected author is a user going by the name “Racoon Hacker,”“Eynot” and “Racoon Pogoromist.”


The researchers found an article on a Russian forum by Racoon Hacker with the title “Telegram breaking in 2018.” A GitHub link found in another forum references the hacker’s alias, as does the YouTube video.

In the malware, Talos found references to credentials for pCloud, a cloud storage service. The credentials are hard-coded into certain malware files. Talos says the operators behind TeleGrab use the pCloud accounts to store the data they exfiltrate.

The data from hijacked Telegram sessions is not encrypted, so anyone with access to the pCloud accounts can see it plainly. The same goes for browser credentials and cookies that the malware steals.

But other, cached information is encrypted with the user’s password. The researchers say they haven’t encountered a tool to decrypt the information, but that it would not be difficult to make a tool that successfully brute-force it.

“Although it’s not exploiting any vulnerability, it is rather uncommon to see malware collecting this kind of information. This malware should be considered a wake up call to encrypted messaging systems users,” the report says. “Features which are not clearly explained and bad defaults can put in jeopardy their privacy.”


Earlier this week, European researchers also presented a somewhat similar technique for how to exploit the way email platforms integrate with PGP, an encrypted messaging tool, in order to spy on encrypted communications.

Latest Podcasts