MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
macOS Malware Hijacks Telegram Sessions, Targets Crypto Wallets: SlowMist
A macOS malware steals credentials to hijack Telegram sessions, decrypt cryptocurrency wallets, or trick users into entering their wallet recovery phrases through fake applications.
According to SlowMist, the malware combines multiple techniques into a coordinated attack chain, allowing attackers to pursue different methods of compromising cryptocurrency accounts and wallets.
The malware targets software wallets including:
- Exodus
- Atomic
- Electrum
- Wasabi
- Monero
It also targets hardware wallet applications such as:
- Ledger Live
- Trezor Suite
Additionally, it searches for wallet data stored by full-node clients including:
- Bitcoin Core
- Litecoin Core
- Dash Core
- Dogecoin Core
Telegram Session Hijacking
Telegram two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login, according to SlowMist. In tests, researchers restored stolen Telegram Desktop session data on another Mac without entering a phone number, verification code, or two-step verification password.
Recommended Mitigation
SlowMist urged users who suspect their devices have been compromised to:
- Immediately terminate existing Telegram sessions
- Establish a new trusted login
- Change both their Telegram two-step verification password and Telegram Desktop Passcode
The company also recommended generating a new recovery phrase on a clean device and transferring all assets to new addresses.
Comments
No comments yet. Start the discussion.