Security researchers from Cisco’s Talos security group have discovered malware dubbed “TeleGrab” that collects cache and key files from Telegram’s encrypted messaging service.
The malware’s malicious activity was spotted between April 4 and April 10, 2018. The first variant of TeleGrab stole browser credentials, cookies and any text files found on the system. The second variant collected desktop cache, key files and login information for the Steam website.
Telegram provided a desktop disclaimer on the issue: “The malware is not breaking or exploiting any vulnerability on Telegram. It affects the desktop version of Telegram, which does not support Secret Chats and has weak default settings,” Talos wrote in a blog post on Wednesday.
The malware author posted several videos on YouTube describing how to collect Telegram files, use them to hijack Telegram sessions and package for distribution. The malware operators also use pcloud.com hardcoded accounts to store the unencrypted exfiltrated data.
So far, TeleGrab has been targeting Russian-speaking victims and is purposely avoiding the use of IP addresses associated with anonymizer services.