Golang Malware Uses Telegram as Command and Control Channel

Article Highlights
Off On

Researchers have identified a new variant of Golang malware using Telegram as its command and control (C2) channel. This malware, believed to originate from Russia, is still under development but already possesses significant capabilities that make it a formidable threat. Experts from Netskope uncovered this backdoor, which upon execution, sets the stage for its malicious operations. This approach of using Telegram as a C2 channel highlights the increasing tendency among threat actors to exploit cloud applications due to their ease of setup and the challenges they pose to defenders.

Increasing Use of Cloud Applications for Command and Control

Much of the growing trend among attackers involves leveraging cloud applications as their C2 channels. This tactic not only simplifies the setup process for the malicious actors but also poses significant detection challenges for security teams. Applications such as OneDrive, GitHub, and Dropbox have seen similar exploitation, making it difficult for defenders to differentiate between legitimate user activity and malicious communications. The utilization of these cloud platforms complicates the task for cybersecurity teams, as distinguishing normal traffic from nefarious actions becomes a daunting task due to the encryption and legitimate use of these services.

The newly discovered Golang malware follows this trend, opting for Telegram as its preferred C2 channel. Telegram’s widespread use and encryption features make it an attractive option for threat actors. The malware includes a critical function named “installSelf,” specifically designed to ensure its presence under a designated location and name on the infected system, “C:WindowsTempsvchost.exe.” Once properly installed, the malware turns to an open-source Go package to interact with Telegram, showcasing the sophistication and planning behind its development.

Technical Mechanism of the Golang Malware

The interaction with Telegram relies heavily on several functions, making it capable of responding to its operators’ commands efficiently. To create a bot instance, the malware utilizes the “NewBotAPIWithClient” function, which requires a token obtained from Telegram BotFather. Once the bot is established, it continually checks for new commands via the “GetUpdatesChan” function. This mechanism ensures that the malware remains responsive to commands sent through Telegram, allowing the attacker to maintain control over the infected systems discreetly.

The malware supports four primary commands that enable the attacker to execute specific tasks. These are: execute PowerShell commands, relaunch itself, capture screenshots, and delete itself. The most complex of these commands is the execution of PowerShell scripts, which requires the input of two separate messages: the command prompt and the subsequent PowerShell script. Once the PowerShell command is given, the malware waits for the next input, prompting the user with a message in Russian. The remaining three commands are straightforward, each requiring only a single confirmation message before execution.

Feedback from these commands is securely sent back to the attacker’s Telegram channel using an encrypted function named “sendEncrypted.” This ensures that even if the communications are intercepted, the content remains inaccessible without the decryption key. The approach not only masks the malicious communications but also leverages Telegram’s security features to the attackers’ advantage, thereby making it challenging for cybersecurity experts to detect and mitigate these threats effectively.

What’s Next for Cybersecurity

In a concerning development that underscores the continually advancing tactics of cybercriminals, researchers have discovered a new strain of Golang malware utilizing Telegram as its command and control (C2) channel. This particular malware is believed to have Russian origins and is still in its development stages. However, even in its current form, it possesses substantial capabilities, rendering it a significant threat. Netskope experts identified this backdoor, which, once executed, prepares for its malicious activities. The method of employing Telegram as a C2 channel highlights a growing trend among cybercriminals to leverage cloud-based applications. These applications are appealing due to their simplicity in setup and the considerable difficulties they present for cybersecurity defenders. Cybersecurity professionals must stay aware of such innovations as they pose new challenges in maintaining secure systems and protecting sensitive data from being compromised by increasingly sophisticated attacks.

Explore more

Why Should Leaders Invest in Employee Career Growth?

In today’s fast-paced business landscape, a staggering statistic reveals the stakes of neglecting employee development: turnover costs the median S&P 500 company $480 million annually due to talent loss, underscoring a critical challenge for leaders. This immense financial burden highlights the urgent need to retain skilled individuals and maintain a competitive edge through strategic initiatives. Employee career growth, often overlooked

Making Time for Questions to Boost Workplace Curiosity

Introduction to Fostering Inquiry at Work Imagine a bustling office where deadlines loom large, meetings are packed with agendas, and every minute counts—yet no one dares to ask a clarifying question for fear of derailing the schedule. This scenario is all too common in modern workplaces, where the pressure to perform often overshadows the need for curiosity. Fostering an environment

Embedded Finance: From SaaS Promise to SME Practice

Imagine a small business owner managing daily operations through a single software platform, seamlessly handling not just inventory or customer relations but also payments, loans, and business accounts without ever stepping into a bank. This is the transformative vision of embedded finance, a trend that integrates financial services directly into vertical Software-as-a-Service (SaaS) platforms, turning them into indispensable tools for

DevOps Tools: Gateways to Major Cyberattacks Exposed

In the rapidly evolving digital ecosystem, DevOps tools have emerged as indispensable assets for organizations aiming to streamline software development and IT operations with unmatched efficiency, making them critical to modern business success. Platforms like GitHub, Jira, and Confluence enable seamless collaboration, allowing teams to manage code, track projects, and document workflows at an accelerated pace. However, this very integration

Trend Analysis: Agentic DevOps in Digital Transformation

In an era where digital transformation remains a critical yet elusive goal for countless enterprises, the frustration of stalled progress is palpable— over 70% of initiatives fail to meet expectations, costing billions annually in wasted resources and missed opportunities. This staggering reality underscores a persistent struggle to modernize IT infrastructure amid soaring costs and sluggish timelines. As companies grapple with