MacOS Malware Hijacks Telegram Sessions and Targets Crypto Wallets

BTC-1.71%
LTC-0.17%
DASH-0.05%
DOGE-1.95%

Blockchain security firm SlowMist discovered a macOS information-stealing malware that hijacks Telegram Desktop sessions and compromises cryptocurrency wallets. The malware harvests data from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases associated with more than a dozen cryptocurrency wallets, allowing attackers to decrypt stolen wallet databases offline or replace legitimate hardware wallet applications with fake versions. SlowMist reproduced the attack chain in an isolated environment and confirmed that Telegram two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login.

SlowMist Identifies MacOS Malware Data Harvesting Methods

After collecting passwords and authenticated sessions, the malware copies users' authenticated Telegram Desktop session data, wallet databases and browser wallet extension data. SlowMist said attackers can then attempt to decrypt the stolen wallet databases offline using passwords harvested from the infected device or replace legitimate Ledger and Trezor applications with fake versions that trick users into entering their recovery phrases. The malware combines multiple techniques into a coordinated attack chain, allowing attackers to pursue different methods of compromising cryptocurrency accounts and wallets.

Malware Targets Software and Hardware Crypto Wallets

According to SlowMist, the malware targets software wallets including Exodus, Atomic, Electrum, Wasabi and Monero, as well as hardware wallet applications such as Ledger Live and Trezor Suite. It also searches for wallet data stored by full-node clients including Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core.

Telegram Two-Step Verification Fails to Prevent Session Hijacking

Telegram two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login, according to SlowMist. In tests, researchers restored stolen Telegram Desktop session data on another Mac without entering a phone number, verification code or two-step verification password.

SlowMist Recommends Immediate Security Measures for Compromised Devices

SlowMist urged users who suspect their devices have been compromised to immediately terminate existing Telegram sessions, establish a new trusted login and change both their Telegram two-step verification password and Telegram Desktop Passcode. The company also recommended generating a new recovery phrase on a clean device and transferring all assets to new addresses.

FAQ

What types of data does the macOS malware steal according to SlowMist?

The malware harvests data from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases associated with more than a dozen cryptocurrency wallets, including authenticated Telegram Desktop session data, wallet databases and browser wallet extension data.

Why does Telegram two-step verification not prevent this malware attack?

Telegram two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login. SlowMist researchers restored stolen Telegram Desktop session data on another Mac without entering a phone number, verification code or two-step verification password.

What security measures does SlowMist recommend for users who suspect device compromise?

SlowMist urged users to immediately terminate existing Telegram sessions, establish a new trusted login, change both their Telegram two-step verification password and Telegram Desktop Passcode, generate a new recovery phrase on a clean device and transfer all assets to new addresses.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments