Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram as its command-and-control (C2) channel. According to researcher Leandro Fróes, the malware appears to be in its early development stages but is already fully functional and capable of executing remote commands, persisting on infected systems, and even self-destructing.
The malware, which is believed to be of Russian origin, is still under development but already fully functional. It operates by establishing a Telegram bot and using a dedicated channel to receive commands and exfiltrate data.
“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” says the report.
The malware, written in Go, is structured as a remote access backdoor, giving attackers full control over compromised systems via a Telegram bot.
The first stage of execution involves the malware ensuring it is running under a specific path and name: “The function checks if the malware is running under a specific location and using a specific name, more specifically “C:\Windows\Temp\svchost.exe”. If that’s not the case it reads the content of itself, writes to that location, creates a new process to launch its new copy and terminates itself.” This allows it to persist on the system, making it more difficult to remove manually.
Once the malware confirms its location, it initializes communication with Telegram, using the NewBotAPIWithClient function from an open-source Go package. This allows it to create a bot instance using a token generated via Telegram’s BotFather service.
After connecting to Telegram, the malware continuously listens for commands using the GetUpdatesChan function, checking for instructions from the attacker’s Telegram chat.
The malware supports several commands, including the ability to execute arbitrary PowerShell commands, persist on the infected system, and self-destruct. The use of PowerShell, a powerful scripting language built into Windows, allows the attackers to perform a wide range of malicious activities, such as stealing data, installing additional malware, or taking control of the entire system.
Netskope Threat Labs has released a comprehensive list of indicators of compromise (IOCs) and scripts related to this malware on their GitHub repository. This information can be used by security professionals to detect and mitigate the threat posed by this new backdoor.
