Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram as its command-and-control (C2) channel. <\/p>\n
While the malware appears to still be under development, it is already fully functional and capable of executing various malicious activities. <\/p>\n
This innovative use of cloud-based applications like Telegram for C2 communication poses significant challenges for cybersecurity defenders.<\/p>\n
- \n
- A newly discovered Go-based backdoor, potentially of Russian origin, has been identified.<\/li>\n
- The malware uses Telegram as its primary C2 communication channel.<\/li>\n
- Despite being under development, the malware is operational and includes several implemented commands.<\/li>\n<\/ul>\n
Technical Analysis<\/strong><\/h2>\n
The malware is compiled in Golang and functions as a backdoor once executed. Upon launch, it performs an initial self-installation process by checking if it is running from a specific file path:
C:WindowsTempsvchost.exe<\/code>. <\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgA4Uygws6XdndUIlKQLSx81IH3SHTvUMRya-gxsFXMDQBqx5ca852YTZphVK86DOQQVmLwXTL0U0dJkCU8_i3sDLxDzJMOu5MTTrevNkuSWzEgp5xuJaJgeJqA1fkMYxfuttCB_lmA9SKX0SKweQDQ7gmMIgWVjdhmSM5LiZ5Fs5oDrWNGIzc4WqjOuVjw\/s16000\/Golang-Backdoor-1.png?ssl=1\")
<\/figure>\nIf not, it copies itself to this location, relaunches the new instance, and terminates the original process. This self-installation step is executed through an initialization function before the main function of the malware is called.<\/p>\n
Interaction with Telegram<\/strong><\/h2>\n
The malware employs an open-source Go package to interact with Telegram. It uses the
NewBotAPIWithClient<\/code> function to create a bot instance using a token generated via Telegram\u2019s BotFather feature. <\/p>\nThe analyzed sample contained the token
8069094157:AAEyzkW_3R3C-tshfLwgdTYHEluwBxQnBuk<\/code>. Through theGetUpdatesChan<\/code> function, the malware continuously monitors a channel for incoming commands from its operators.<\/p>\nThe backdoor currently supports four commands, three of which are fully implemented:<\/p>\n
- \n
- \n\/cmd<\/strong>: Executes PowerShell commands received via Telegram.<\/li>\n
- \n\/persist<\/strong>: Relaunches itself in the specified directory (
C:WindowsTempsvchost.exe<\/code>).<\/li>\n- \n\/screenshot<\/strong>: Not yet fully implemented but sends a placeholder message indicating a screenshot was captured.<\/li>\n
- \n\/selfdestruct<\/strong>: Deletes itself and terminates its process.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjJapR_N5Cobe4MC3t3b_nQ6li1VDz5RC_3XYzmiHEOTpXzehGxmqkPLggjhNCDmO7WkXjegkGOZAmkQOyhV0JH2m0DBI79VvvDZ1UnmqQYJcW54PV9lrQCA4TkbHtTi0BkedaPzgEM7iitg1o8X_ICCF_cLgo23EHpC0qw_EKdrCpHWEBOIx1gGQoJ9B4f\/s16000\/Golang-Backdoor-3.png?ssl=1\")
<\/figure>\nCommand outputs are sent back to the Telegram channel using an encrypted send function. For example, when executing
\/cmd<\/code>, the malware prompts the attacker (in Russian) to enter a PowerShell command, which it then executes in hidden mode.<\/p>\nThe use of cloud-based applications like Telegram as C2 channels<\/a> complicates detection efforts. These platforms provide attackers with an easy-to-use infrastructure while blending malicious activity with legitimate API usage. <\/p>\n
Other cloud apps such as OneDrive, GitHub, and Dropbox could similarly be exploited in this way, making it increasingly difficult for defenders to differentiate between benign and malicious traffic.<\/p>\n
Netskope Advanced Threat Protection proactively detects<\/a> this threat under the identifier \u201cTrojan.Generic.37477095.\u201d The company emphasized the importance of monitoring such evolving threats and adapting defenses accordingly.<\/p>\n
This Go-based malware highlights how attackers are leveraging cloud applications to bypass traditional detection mechanisms. By exploiting platforms like Telegram for C2 communication, attackers simplify their operations while complicating defensive measures. <\/p>\n
Netskope Threat Labs reported that they will continue monitoring this backdoor\u2019s development and its associated tactics, techniques, and procedures (TTPs).<\/p>\n
For additional technical details and indicators of compromise<\/a> (IOCs), Netskope has made relevant data available in their GitHub repository.<\/p>\n
Find this Story Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong><\/p>\n
The post New Go-Based Malware Exploits Telegram and Use It as C2 Channel<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
- \n\/persist<\/strong>: Relaunches itself in the specified directory (
- \n\/cmd<\/strong>: Executes PowerShell commands received via Telegram.<\/li>\n