Blog
  .  Published

The New Dangers of Telegram Messenger - Telegrab & Beyond


Image: In exploits that are not really juicy enough for the netsec community, malicious Telegram campaigns are passing more or less under the radar. Grizzly image via Pexels.

Posted in: Home > Security

Subscribe to the Altcoin Trading newsletter. (Newsletter Archive)


In May 2018 new attacks on the desktop version of the Telegram messenger were reported. The reports weren’t specific regarding the targets but since Telegram is the most popular IM in the crypto community, it is certainly something to be aware of.

The sneaky problem here is the current campaign is focused on data gathering only. What it means is you have no way to notice anything wrong, even if your Telegram was compromised.

Exploit that is “just” collecting information

The reason this malicious campaign is not a big deal for security enthusiasts is that it does not do any sophisticated breaking through encryption layers: It is a malware that emerged in April 2018 but it focuses on the desktop version of the Telegram messenger which does not support end-to-end encryption. Just for the sake of full clarity, while Telegram is known as the encrypted instant messenger, it does not actually encrypt communication by default. Encrypted chats are an extra option in the smartphone Telegram versions but by default, the privacy is quite weak.

The data gathering malware was discovered by security researchers thanks to a YouTube tutorial that was posted presumably by the author. The malware collects cache and key files from Telegram, by restoring the cache file into another Telegram installation the victim user session remains open. The session then contains the victims contacts and full message history. This data is stored encrypted, but Talos Intelligence explains that is not much of an issue:

The keys used to encrypt the files on Telegram desktop data are store in the map* files, which are encrypted by the password of the user. Assuming that the attacker does not have the password for these files, it would not be hard for them to create a brute-force mechanism that could allow them to get into these files.

And the last material point is that Telegram does not provide any specifications as to what exactly can ever be stored in the local cache. It is possible that cookies extracted this way could expose information from services such as Gmail or Yandex, in one instance there was extraction of Steam login data recorded. Crypto traders who trade while chatting on Telegram should be quite careful here.

Other dangers of Telegram

In addition to impersonating scammers (not_giving_away_eth), crypto social networks also have malicious actors that are way less aggressive but no less successful, mainly thanks to the common hunger for exclusive or early information about an altcoin market.

The hidden danger here are PDF files, often hyped up and given away by random people in various trading groups. However, you can also receive those per email as free reports, analysis samples or invoices.

Perhaps you thought PDF files were something like an image and not dangerous: On the contrary, they are a piece of code with various styling and display directives for the PDF software to interpret. The PDF reader then makes the code look like a neat graphics:

It is extremely easy to inject random code into this kind of file. Relevant vulnerability reports here would be this post from May 2018 on the Adobe Acrobat PDF Reader. It features several ways to manipulate memory through a piece of JavaScript code embedded in a malicious PDF file. The memory manipulation can lead to random code execution.

Another popular PDF app Foxit PDF Reader also has this type of vulnerability, reported in April 2018. In some cases, just viewing the PDF in the Foxit browser plugin can lead to the exploit - it is not even necessary to download the malicious file. That makes it even harder for any antivirus software to detect anything - which already is a challenge considering these exploits only need a simple Javascript snippet.

  • JavaScript snippets can be used to download and install other malware, key-loggers or trojan horses.
  • Javascript can also overwrite your copy-pasted crypto send address to make you unwittingly send your money to the attacker.
  • MyEtherWallet phishing packages also include key components written in JavaScript.

Best ways to protect yourself

The truly best way is to have an extremely simple trading machine that will actually be really used just for trading - and we are really talking about scrubbed hard drive with a setup r/minimalism would drool over. The simpler the system, the easier the maintenance and the less exposure to vulnerabilities that have not been discovered yet, which sadly includes any kinds of packages even from trusted sources. You should absolutely have a dedicated beater computer or phone for any riskier activities that involve torrents, download sites or streaming services with aggressive and possibly infected ads - more in an older Security post.

Hardware wallets are helpful too, obviously - especially when it comes to the address-rewriting malware: hardware wallets let you check the target address on the HW display which makes it easier to notice any tampering. Using hardware wallets is not risk-free though, they have their own software and hardware vulnerabilities. Both Trezor and Ledger wallet had serious vulnerabilities discovered in the past: Trezor’s here from August 2017 and Ledger here from March 2018.

  as always, just being extra cautious goes a long way too: Use Google 2FA everywhere and don’t reuse email addresses.


Related post, once again: Tiered Device Management for Crypto Holders


The information in this article comes as it is without any guarantees. You are responsible for your own security.

Author | Filed under Blog

Comment on "The New Dangers of Telegram Messenger - Telegrab & Beyond"