Researchers have identified a new variant of Golang malware using Telegram as its command and control (C2) channel. This malware, believed to originate from Russia, is still under development but already possesses significant capabilities that make it a formidable threat. Experts from Netskope uncovered this backdoor, which upon execution, sets the stage for its malicious operations. This approach of using Telegram as a C2 channel highlights the increasing tendency among threat actors to exploit cloud applications due to their ease of setup and the challenges they pose to defenders.
Increasing Use of Cloud Applications for Command and Control
Much of the growing trend among attackers involves leveraging cloud applications as their C2 channels. This tactic not only simplifies the setup process for the malicious actors but also poses significant detection challenges for security teams. Applications such as OneDrive, GitHub, and Dropbox have seen similar exploitation, making it difficult for defenders to differentiate between legitimate user activity and malicious communications. The utilization of these cloud platforms complicates the task for cybersecurity teams, as distinguishing normal traffic from nefarious actions becomes a daunting task due to the encryption and legitimate use of these services.
The newly discovered Golang malware follows this trend, opting for Telegram as its preferred C2 channel. Telegram’s widespread use and encryption features make it an attractive option for threat actors. The malware includes a critical function named “installSelf,” specifically designed to ensure its presence under a designated location and name on the infected system, “C:WindowsTempsvchost.exe.” Once properly installed, the malware turns to an open-source Go package to interact with Telegram, showcasing the sophistication and planning behind its development.
Technical Mechanism of the Golang Malware
The interaction with Telegram relies heavily on several functions, making it capable of responding to its operators’ commands efficiently. To create a bot instance, the malware utilizes the “NewBotAPIWithClient” function, which requires a token obtained from Telegram BotFather. Once the bot is established, it continually checks for new commands via the “GetUpdatesChan” function. This mechanism ensures that the malware remains responsive to commands sent through Telegram, allowing the attacker to maintain control over the infected systems discreetly.
The malware supports four primary commands that enable the attacker to execute specific tasks. These are: execute PowerShell commands, relaunch itself, capture screenshots, and delete itself. The most complex of these commands is the execution of PowerShell scripts, which requires the input of two separate messages: the command prompt and the subsequent PowerShell script. Once the PowerShell command is given, the malware waits for the next input, prompting the user with a message in Russian. The remaining three commands are straightforward, each requiring only a single confirmation message before execution.
Feedback from these commands is securely sent back to the attacker’s Telegram channel using an encrypted function named “sendEncrypted.” This ensures that even if the communications are intercepted, the content remains inaccessible without the decryption key. The approach not only masks the malicious communications but also leverages Telegram’s security features to the attackers’ advantage, thereby making it challenging for cybersecurity experts to detect and mitigate these threats effectively.
What’s Next for Cybersecurity
In a concerning development that underscores the continually advancing tactics of cybercriminals, researchers have discovered a new strain of Golang malware utilizing Telegram as its command and control (C2) channel. This particular malware is believed to have Russian origins and is still in its development stages. However, even in its current form, it possesses substantial capabilities, rendering it a significant threat. Netskope experts identified this backdoor, which, once executed, prepares for its malicious activities. The method of employing Telegram as a C2 channel highlights a growing trend among cybercriminals to leverage cloud-based applications. These applications are appealing due to their simplicity in setup and the considerable difficulties they present for cybersecurity defenders. Cybersecurity professionals must stay aware of such innovations as they pose new challenges in maintaining secure systems and protecting sensitive data from being compromised by increasingly sophisticated attacks.