Home Malware Programs Malware TeleGrab

TeleGrab

Posted: May 18, 2018

TeleGrab is a spyware program that collects data associated with the Telegram messaging service, your Web browser, and the Steam gaming client. Victims of its attacks should presume that Telegram-related conversations and online account credentials are in wrong possession until they can determine otherwise, and take appropriate precautions, such as changing their passwords. Have your anti-malware software quarantine or uninstall TeleGrab as needed instead of attempting a manual detection and removal of this threat.

The Spyware that Prefers the 'Vanilla' Installation Options

A new spyware program is in development with a fully-fleshed out payload that encompasses various programs and services, most significantly, the E2EE (or End-to-End-Encryption) messaging service of Telegram. The people responsible for the new threat is of apparent Russian origin and is targeting their program, named TeleGrab, against other Russian citizens, albeit with some exceptions. Besides endangering users of a supposedly private instant messenger, TeleGrab also includes features for collecting data from browsers and other Web applications.

While malware researchers haven't finished verifying the infection strategies that may be in use, TeleGrab is installing itself with the help of one of several Trojan downloaders. There are at least two versions of TeleGrab. The early variant includes support for collecting Web-browsing credentials, cookies and text files. Its update also attacks the Telegram's cache and keys, as well as any login information for the Steam's official website.

The inclusion of Telegram in its information-collecting behavior is TeleGrab's most novel feature. However, the threat doesn't use unpatched or zero-day vulnerabilities in the software for its attack. Instead, it takes advantage of built-in limitations of the desktop version of Telegram, such as the absence of automatic logout or 'Secret Chat.' The data it collects isn't encrypted or otherwise protected from misuse, and TeleGrab uploads it to a cloud server that any threat actor with the corresponding login can access.

A One-Time Grab at Your Most Precious Data

Even though it's highly unusual for threat actors residing in Russia to target citizens inside the same country, TeleGrab does employ some additional, victim-filtering behavior. It avoids collecting any data from victims whose IP addresses correspond to an internal list automatically, as well as ignores any users of specific anonymity services, such as Anonymizer. Another unexpected limitation is the spyware's omission of a Registry entry or other exploit that would enable a relaunching after a reboot. Unlike most spyware, TeleGrab lacks any form of long-term system persistence.

TeleGrab doesn't remain persistent in memory on your PC, but its installation routine includes taking advantage of AutoIT, Go, and Python-based Trojan downloaders that could install other threats. Any users with compromised PCs or other devices should run full anti-malware scans for removing the TeleGrab's components and related unsafe software. Information falling in TeleGrab's scope for collected data should be modified appropriately, such as changing passwords and canceling credit cards.

The author of TeleGrab, referring to himself as 'Raccoon Hacker' or 'Eyenot,' is exhibiting a long-term interest in developing spyware for Telegram-specific attacks, account hijackings, and related crimes. Users assuming that the default settings of services like Telegram are a bulletproof form of security have a good reason to change their views.

Loading...