A recent discovery by cybersecurity researchers at Netskope has unveiled a new Golang-based backdoor that utilizes Telegram for command and control (C2) purposes. This backdoor, identified as Trojan.Generic.37477095, is believed to have origins in Russia and leverages cloud services like Telegram as a means to execute malicious activities while evading detection.
The use of cloud platforms such as Telegram for C2 communication presents a significant challenge for cybersecurity professionals due to the ease of access for threat actors and the inherent difficulty in monitoring such channels. Attackers can take advantage of these platforms to carry out their malicious operations without the need for dedicated infrastructure, making it a highly effective strategy. Other cloud services like OneDrive, GitHub, and Dropbox could also be potentially exploited in a similar manner.
Upon execution, the malware, coded in Go, triggers an “installSelf” function that ensures it is running from a specific location and filename: “C:\Windows\Temp\svchost.exe”. If not already in place, the malware copies itself to the designated location, initiates a new process to launch the copied file, and terminates the original instance. This meticulous process guarantees that the malware operates from the intended location before proceeding further.
To establish communication with the C2 server, the backdoor utilizes an open-source Go package to interact with Telegram. By creating a bot instance using the Telegram BotFather feature and a unique token, the malware can monitor a specific Telegram chat for incoming commands. Currently supporting four commands, including “/cmd”, “/persist”, “/screenshot”, and “/selfdestruct”, the malware selectively executes commands based on message content and length.
The “/cmd” command, for example, requires two messages – the command itself, followed by a PowerShell command for execution. The malware prompts the user to enter the PowerShell command in a Russian-language message and executes it in a concealed PowerShell window. The other commands, “/persist”, “/screenshot”, and “/selfdestruct”, facilitate the persistence, screenshot capture, and self-destruction functionalities of the malware, respectively.
As highlighted by researchers, the use of cloud applications as C2 channels presents a significant challenge for defenders. This method not only simplifies the attackers’ operations by eliminating the need for complex infrastructure but also complicates the detection process for defenders, as distinguishing between normal user interactions and malicious C2 communication becomes increasingly difficult.
To safeguard against such threats, it is crucial to have robust antivirus and anti-malware solutions installed on all devices. These security measures should be regularly updated and capable of detecting and blocking malicious files, including those built with Go-based executables.
In conclusion, the discovery of this Golang-based backdoor utilizing Telegram for C2 communication underscores the evolving tactics employed by threat actors to bypass traditional security measures. By staying vigilant and implementing robust security practices, organizations can mitigate the risks posed by such advanced malware threats.