A fake malware campaign reportedly seems to continue plaguing the Telegram desktop app for Windows.
Jannis Kirschner, an independent security researcher from Switzerland was searching for the desktop version of the Telegram. He came across an intriguing advertisement that took him directly to malware. It was disguised as the desktop version of Telegram for Windows.
Fake Telegram Desktop App Malware
Upon further probing he found out that there were many unofficial, bogus pages (telegramdesktop[.]com, telegramdesktop[.]net, and telegramdesktop[.]org) showing a fake Telegram app download option that was actually a spyware and information stealer. It is known that there are at least three pages used to trick users into installing fake Telegram apps. Those pages look like the official Telegram page (desktop.telegram.org).
Although visiting telegramdesktop[dot]com, now shows a warning from Google’s Safe Browsing tool, the other two sites are still functional and apparently tricking others. Those are telegramdesktop[dot]net and telegramdesktop[dot]org.
According to Kirschner, the .com and .net sites received 2,746 downloads of the malicious Windows executable. And a second-level malware was tapped 129 times. The .org site bagged 529 downloads in only two days.
He further added, “A repo probably was a bad choice for delivering malware since it’s very verbose (download numbers, time, and other documents). The biggest opsec mistake was that they didn’t clean one of the repo’s metadata, which led me to discover commit messages and their e-mail [address].”
Second Stage: AZORult
Furthermore, the second stage of the malware AZORult works to steal login credentials, Telegram messages, and other valuable data in Google’s Chrome browser. This involves cookies, autofill information, passwords, and location data.
“AZORult was being used in malvertising campaigns targeting a popular VPN service. As well as using COVID-19 themed campaigns,” Kirschner said.
In order to prevent the fake Telegram desktop app malware, focus on the websites that you are about to visit. The links mentioned above can be easily identified and are different from the original ones.