Cybersecurity researchers are shedding light on a new Golang-based backdoor that uses Telegram as a mechanism for command and control (C2) communications.
Netskope Threat Labs, which detailed the features of the malware, explained that it is probably of Russian origin.
“Malware is compiled with Golang and when executed it works like a backdoor,” Leandro Fróes said in an analysis published last week. “The malware appears to be still in development, but it’s working perfectly.”
When booted, the backdoor is designed to check if it is running under a specific location and to see if it uses a specific name (c:\windows\temp\svchost.exe”). , and create a new process to launch the copied version and exit itself.
A notable aspect of malware is the use of an open source library that provides Golang Bindings for the Telegram Bot API for C2 purposes.
This includes interacting with the Telegram Bot API to receive new commands from actor-controlled chat. Currently only three are implemented, but it supports four different commands.
/cmd- Run command via powershell /stave – “c:\windows\svchost.exe” Restart itself under /screenshot – not implemented /selfdestruct- “c:\windows\svchost.exe” Delete the file and exit
The output of these commands is sent back to the Telegram channel. Netskope said the “/screenshot” command “sends a captured ‘screenshot’ message, despite it being completely unfragmented.
The Russian roots of malware are explained by the fact that the “/cmd” command sends a message.
“Using cloud apps presents complex challenges for defenders and attackers,” Froes said. “Other aspects, such as how easy it is to set up and start using an app, are examples of why attackers use such applications at different stages of an attack.”
Source link
