TeleGrab
TeleGrab is a malware that is designed to collect cache and key files associated with Telegram, an instant messaging service designed for encrypted, anonymous online communications specifically. PC security researchers have uncovered two versions of TeleGrab. The first of these versions was observed on April 4, 2018, and it collected data from the affected Web browsers, as well as text files on the infected computer. The second version, observed on April 10, 2018, caught the attention of PC security researchers because it collected the Telegram's cache and key files, as well as login information for a variety of online accounts.
Table of Contents
The TeleGrab Malware’s Function is to Collect Data
TeleGrab will target only the desktop version of this application because it does not support secret chat and does not have the default automatic logout feature. This means that criminals can use TeleGrab to collect files that have information about the victim's sessions on Telegram, as well as contacts and previous chats. TeleGrab seems to be associated with state-sponsored attackers, or with attackers that have a nationalistic association. This is because TeleGrab will check whether the victim's IP addresses are associated with China and Russia or with anonymous browsing services in other countries. When these are encountered, TeleGrab simply exits and does not carry out its attack. One aspect of TeleGrab is that it does not have a persistence mechanism, meaning that the attack stops after the infected computer restarts, meaning that TeleGrab attacks seem to be designed as a one-time attack rather than a persistent campaign.
What TeleGrab will Do with Your Information
TeleGrab delivers its collected data to an account on pCloud, a cloud storage platform based in Switzerland. TeleGrab does not encrypt the data, meaning that anyone with access to these accounts can have access to this information. PC security researchers have noticed at least five pCloud accounts associated with the TeleGrab attackers. The TeleGrab attack is not sophisticated particularly, but it is effective and efficient. One aspect of TeleGrab that computer users need to be aware of is that it targets an instant messaging service that is typically used by people looking for anonymity. Because of this, computer users looking to keep their online communications safe should take steps to ensure that their default settings on these programs are designed to keep their data safe and away from the reach of malware like TeleGrab.
What We Know about the TeleGrab Attackers
From monitoring online activities, PC security researchers have determined that the TeleGrab's creator is a native Russian speaker. Online, this person is known by the aliases 'Eyenot' and 'Racoon Hacker.' This person is quite active on Russian hacking forums and has posted about how to deploy attacks involving TeleGrab and with associated topics extensively. TeleGrab is being updated constantly since the initial versions of this threat. Since its first appearance, TeleGrab has already received several updates that change the extent and effects of the attack. TeleGrab also has no versions designed to attack Telegram on other platforms currently besides the Windows desktop version (such as Android, Linux, or iOS). However, it is clear that the criminals responsible for TeleGrab have made it a priority to target these.
Protecting Your Data from TeleGrab
It is uncomplicated to see why services like Telegram would prove attractive to criminals creating these threats; Telegram users use this service to communicate confidential information. Being able to gain access to this data type can result in lucrative results for criminals, such as getting information about proprietary components or data that could be used to extort or blackmail computer users. Because of this, computer users looking for online anonymity are urged to take multiple steps rather than relying on a single component to protect their data.
