Golang Malware Uses Telegram as Command and Control Channel

Article Highlights
Off On

Researchers have identified a new variant of Golang malware using Telegram as its command and control (C2) channel. This malware, believed to originate from Russia, is still under development but already possesses significant capabilities that make it a formidable threat. Experts from Netskope uncovered this backdoor, which upon execution, sets the stage for its malicious operations. This approach of using Telegram as a C2 channel highlights the increasing tendency among threat actors to exploit cloud applications due to their ease of setup and the challenges they pose to defenders.

Increasing Use of Cloud Applications for Command and Control

Much of the growing trend among attackers involves leveraging cloud applications as their C2 channels. This tactic not only simplifies the setup process for the malicious actors but also poses significant detection challenges for security teams. Applications such as OneDrive, GitHub, and Dropbox have seen similar exploitation, making it difficult for defenders to differentiate between legitimate user activity and malicious communications. The utilization of these cloud platforms complicates the task for cybersecurity teams, as distinguishing normal traffic from nefarious actions becomes a daunting task due to the encryption and legitimate use of these services.

The newly discovered Golang malware follows this trend, opting for Telegram as its preferred C2 channel. Telegram’s widespread use and encryption features make it an attractive option for threat actors. The malware includes a critical function named “installSelf,” specifically designed to ensure its presence under a designated location and name on the infected system, “C:WindowsTempsvchost.exe.” Once properly installed, the malware turns to an open-source Go package to interact with Telegram, showcasing the sophistication and planning behind its development.

Technical Mechanism of the Golang Malware

The interaction with Telegram relies heavily on several functions, making it capable of responding to its operators’ commands efficiently. To create a bot instance, the malware utilizes the “NewBotAPIWithClient” function, which requires a token obtained from Telegram BotFather. Once the bot is established, it continually checks for new commands via the “GetUpdatesChan” function. This mechanism ensures that the malware remains responsive to commands sent through Telegram, allowing the attacker to maintain control over the infected systems discreetly.

The malware supports four primary commands that enable the attacker to execute specific tasks. These are: execute PowerShell commands, relaunch itself, capture screenshots, and delete itself. The most complex of these commands is the execution of PowerShell scripts, which requires the input of two separate messages: the command prompt and the subsequent PowerShell script. Once the PowerShell command is given, the malware waits for the next input, prompting the user with a message in Russian. The remaining three commands are straightforward, each requiring only a single confirmation message before execution.

Feedback from these commands is securely sent back to the attacker’s Telegram channel using an encrypted function named “sendEncrypted.” This ensures that even if the communications are intercepted, the content remains inaccessible without the decryption key. The approach not only masks the malicious communications but also leverages Telegram’s security features to the attackers’ advantage, thereby making it challenging for cybersecurity experts to detect and mitigate these threats effectively.

What’s Next for Cybersecurity

In a concerning development that underscores the continually advancing tactics of cybercriminals, researchers have discovered a new strain of Golang malware utilizing Telegram as its command and control (C2) channel. This particular malware is believed to have Russian origins and is still in its development stages. However, even in its current form, it possesses substantial capabilities, rendering it a significant threat. Netskope experts identified this backdoor, which, once executed, prepares for its malicious activities. The method of employing Telegram as a C2 channel highlights a growing trend among cybercriminals to leverage cloud-based applications. These applications are appealing due to their simplicity in setup and the considerable difficulties they present for cybersecurity defenders. Cybersecurity professionals must stay aware of such innovations as they pose new challenges in maintaining secure systems and protecting sensitive data from being compromised by increasingly sophisticated attacks.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable