Telegram Malware Steals Cache Files and Keys: Created by Russian-Speaking Hacker

Security experts from Cisco Talos and Doctor Web have reported the emergence of new variants of a trojan known as Trojan.PWS.Stealer.23012 and TeleGrab. This malware, first discovered in early April 2018, has quickly evolved, with new versions appearing just weeks after the initial detection.

How the Malware Works

The first version of the malware was written in Python and targeted Chromium-based browsers, stealing credentials, cookies, and text documents found on the system. Later versions added the ability to collect cache files and keys from the Telegram messenger, as well as credentials from Steam, information from the FileZilla FTP client, and the ability to copy image and office document files from a predefined list. It also steals passwords and cookies from browsers such as Google Chrome, Opera, Yandex Browser, Vivaldi, Kometa, Orbitum, Comodo, Amigo, and Torch, along with images and documents stored on the Windows desktop.

Doctor Web experts describe a trojan modification (Trojan.PWS.Stealer.23732) whose dropper is written in AutoIt. This dropper saves and launches several applications that are components of the malware. One is a spyware module, written in Python and converted into an executable file, which steals confidential information from the infected device. The other components, written in Go, scan disks for browser folders and pack the stolen data into archives, uploading them to pCloud storage.

Distribution Methods

The malware is mainly spread through links in comments under YouTube videos related to game cheats, guides, and trainers. Attackers post comments from fake accounts with links to Yandex.Disk. These malicious links are also actively promoted on Twitter.

Additionally, those who purchased the malware from its creator devised another distribution method: contacting administrators of themed Telegram channels and offering to write a post about a supposedly new program, inviting them to test it. The program claimed to allow multiple Telegram accounts on one computer, but in reality, it was spyware.

How the Attack Works

Cisco researchers emphasize that the attackers do not exploit any Telegram vulnerabilities. Instead, they target users of the desktop version of Telegram, which does not support secret chats and has weaker default security settings. The malware collects all Telegram cache data and sends it to the attackers. Investigators even found a tutorial video explaining how to use this data to hijack someone else’s session. Although the video has since been deleted, the method involved restoring cache and map files in an existing Telegram desktop installation with an open session, granting access to the victim’s contacts and chat history. Cisco believes the malware author and the video creator are the same person.

Technical Details and Data Extraction

The described technique is unusual, as there is currently no known decryptor for Telegram cache information. However, discussions on the TelegramDesktop GitHub repository suggest that such a tool could theoretically be created. The keys used to encrypt Telegram files are stored in map* files, which are themselves encrypted with the user’s password. While attackers do not have these passwords, they may attempt to brute-force them. Since Telegram uses AES encryption, researchers believe attackers could use OpenCL or create a HashCat add-on for this purpose.

Even in this scenario, the attacker only gains access to the local cache, and it is impossible to predict exactly what is stored locally. Only cloud-stored chats are guaranteed to be safe.

The Malware Author

Both Cisco and Doctor Web analysts have identified the malware author, who uses the aliases Eyenot (Enot) and Enot Pogromist. He not only develops the malware but also sells it. Doctor Web reports that the author runs a YouTube channel dedicated to malware development and has a GitHub page where he shares the source code of his malicious programs.

Cisco provides further details, noting that since 2017, the author has been active on the hacker forum lolzteam.net, where he recently posted an article titled “Hacking Telegram in 2018,” detailing the customization of his malware. On another hacker forum (sft.st), the malware is advertised for sale, with links to the GitHub account Enot272 and Python scripts and other tools (now deleted) that allowed users to replicate the hacker’s actions.

Researchers noticed that the GitHub profile icon matches the YouTube account icon. One video described creating a loader using AutoIt, and referenced the site testytest1enot.ucoz.net, which contained files matching those found in the malware samples and dropper URLs.

Doctor Web experts also analyzed open-source data and identified several email addresses and a mobile phone number linked to the Telegram account used for illegal activities. They also found several domains used to distribute the malware and determined the city where the author resides. A diagram (not included here) shows some of the connections between Enot Pogromist and his technical resources.

Doctor Web notes that the logins and passwords for the cloud storage accounts used to upload stolen files are hardcoded into the trojans, making it easy to identify all of Enot Pogromist’s clients who purchased the malware. Most are citizens of Russia and Ukraine. Some use email addresses that can be traced to their social media profiles, revealing their real identities. For example, Doctor Web staff discovered that many of Enot Pogromist’s clients also use other spyware sold on underground forums. Notably, some buyers were careless enough to run the spyware on their own computers, likely to test its functionality, resulting in their personal files being uploaded to the cloud storage, which any researcher can access using credentials extracted from the trojan.