Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Richard Chirgwin Thu 17 May 2018  //  04:58 UTC

Already under attack by Russia's telecommunications regulator, a new source of woe has emerged for crypto-chat app Telegram: malware.

In news that won't surprise anybody at all, researchers from Cisco Talos say the malware attacking Telegram's desktop app was written by a Russian speaker.

Vitor Ventura and Azim Khodjibaev explained what they saw in two April attacks involved collecting “cache and key files from end-to-end encrypted instant messaging service Telegram.”

The reason the malware attacked only the desktop version is because it “does not support Secret Chats and has weak default settings” – that's a feature only of the desktop version, and Telegram warns users and explains why security is absent in that environment.

The attack works “by restoring cache and map files into an existing Telegram desktop installation, if the session was open,” giving the attacker the chance to access the victim's session, contacts, and previous chats.

The malware readies data for exfiltration. Image: Cisco Talos

The Talos duo's assessment that the malware's author is a Russian speaker comes from a YouTube tutorial linked in the Talos post.

They located various handles and repositories associated with the attacker, named variously “Racoon Hacker ... Eyenot (Енот / Enot) and Racoon Pogoromist (sic)”.

While Python is Enot's first language as a programmer, Talos said it's seen the malware in downloaders written in Go, AutoIT, Python, and a .NET prototype.

The malware scans hard drives on Windows targets for Chrome credentials, session cookies, and text files, which get zipped and uploaded to pcloud.com. ®
Send us news
10 Comments

Germany cuffs alleged Russian spies over plot to bomb industrial and military targets

Apparently an attempt to damage Ukraine's war effort

Kremlin's Sandworm blamed for cyberattacks on US, European water utilities

Water tank overflowed during one system malfunction, says Mandiant

Old Windows print spooler bug is latest target of Russia's Fancy Bear gang

Putin's pals use 'GooseEgg' malware to launch attacks you can defeat with patches or deletion

US sanctions spree continues with 15 more for Russian entities

Financial firms that help evade existing restrictions in crosshairs

Russia's Cozy Bear caught phishing German politicos with phony dinner invites

Forget the Riesling, bring on the WINELOADER

Is Russia using Starlink in Ukraine? Congress demands answers

And saying Starlink doesn't work inside Russian borders isn't sufficient...

Kremlin accuses America of plotting cyberattack on Russian voting systems

Don't worry, we have a strong suspicion Putin's still gonna win

German defense chat overheard by Russian eavesdroppers on Cisco's WebEx

Officials can't tell whether the tape was edited, but fear Kremlin has more juicy bits to release in the future

Russia plans to put a nuclear reactor on the Moon – with China's help

Roscosmos has had a few problems landing on the lunar surface recently

Microsoft confirms Russian spies stole source code, accessed internal systems

Still 'no evidence' of any compromised customer-facing systems, we're told

That home router botnet the Feds took down? Moscow's probably going to try again

Non-techies told to master firmware upgrades and firewall rules. For the infosec hardheads: have some IOCs

EU sanctions Indian tech outfit that has partnered with New Delhi's IT Ministry

Si2 Microsystems was tapped for silicon photonics expertise, but has Russian ties that worry Washington and Brussels