Over the past month-and-a-half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.
While the first version only stole browser credentials and cookies, along with all text files it can find on the system, the second variant added the ability to collect Telegram’s desktop cache and key files, as well as login information for the Steam website.
Talos intelligence research allowed the identification of the author behind this malware with high confidence. The author posted several YouTube videos with instructions on how to use the Telegram collected files to hijack Telegram sessions and how to package it for distribution.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated information. This information is not encrypted, which means that anyone with access to these credentials will have access to the exfiltrated information.
The malware is mainly targeting Russian-speaking victims, and is intentionally avoiding IP addresses related with anonymizer services.