What is TeleGrab?

TeleGrab is a new malicious application that was detected by researchers monitoring the web at the beginning of May, 2018 for the first time. It is not an ordinary infection, to say the least. Malware analysts have carried out research to find more about this infection and they are now 100% sure that it is one of those threats that target a specific application. In this case, it is Telegram, which is known to be an end-to-end instant messaging service. Also, specialists can now say with confidence that there are two different versions of the same malicious application available. The first one was discovered in the wild on April 4, 2018, whereas the second one landed in researchers’ lap six days later. Even though both of them are all about stealing personal information, they slightly differ from each other.

What does TeleGrab do?

As research has clearly shown, the first version of TeleGrab can steal browser credentials, cookies, and text files found on the affected computer. Unlike the initial version of this malicious application, the second one is also capable of collecting cache and key files from the Desktop version of Telegram. The cyber criminal behind this malicious application has even uploaded videos explaining how to use the collected data in order to hijack Telegram sessions to YouTube. Also, there is a video explaining how to package the malicious application for distribution available. Because of this, it is not likely at all that its popularity will decrease soon and it will no longer bother Telegram users. It should be emphasized that TeleGrab mainly targeted Russian-speaking users at the time of analysis, so this group of people should be careful the most. Of course, we do not try to say here that users who do not speak Russian are safe.

No vulnerabilities were found on Telegram, specialists reported. According to them, it is more likely that TeleGrab abuses the lack of the Secret Chats features in Telegram for Desktop instead. Telegram explains that Secret Chats are not supported on Telegram Desktop and Telegram Web versions because they are fully cloud-based. It has also turned out that the Telegram Desktop version does not have an auto-logout feature. The lack of these two features allows the malicious application to hijack users’ Telegram sessions and access their private conversations without their knowledge. Hijacking Telegram is “the most interesting feature of this malware,” researchers say. Luckily, it has turned out that TeleGrab can only cause problems to users using the Desktop version of Telegram, meaning that there is nothing to worry about for users who use mobile apps.

We have to admit that TeleGrab is quite sophisticated malware. No, it is not because of the fact that it steals personal information. Research has revealed that it uploads the stolen data and exfiltrated files to one of five available pCloud (it is a cloud storage solution based in Switzerland) accounts. The uploaded data is not encrypted in any way, which means that anyone who has credentials to those accounts can access this information.

Where does TeleGrab come from?

Interestingly, TeleGrab is distributed using various downloaders that are written in different programming languages: Go, AutoIT, Python, and a language based on DotNet. As has been observed, the first version of this infection drops an executable file named finder.exe. It searches for available browsing cookies information. Also, it may collect some .txt files. As for the second malware variant, it is spread as a self-extracting file in a RAR format. It should execute one of the two .exe files: enotproject.exe or dpapi.exe. It allows TeleGrab to get data not only from Telegram but also from Steam, a gaming platform.

How to delete TeleGrab

Since TeleGrab can steal private information, it is very important to remove it from the affected system as soon as possible. The threat might continue working normally if a single malicious component that belongs to it is left active. Therefore, security specialists say that TeleGrab should be removed from affected systems using a powerful antimalware scanner.


Ventura, V. and Khodjibaev, A. TeleGrab – Grizzly Attacks on Secure Messaging. Talos 100% FREE spyware scan and
tested removal of TeleGrab*


Leave a Comment

Enter the numbers in the box to the right *