Threat actors are using Telegram as command and control (C2) channel for a new Golang malware variant, according to a Netskope report.
The malware, believed to be of Russian origin, acts like a backdoor once executed. Although it is still under development, it is completely functional.
The researchers noted that the use of cloud apps as C2 channels represents a highly effective approach for attackers.
Firstly, it is easy to set up because there’s no need to implement a whole C2 infrastructure. Additionally, it is difficult for defenders to differentiate C2 communications and a legitimate user using an API in cloud apps.
The researchers said that attackers are becoming aware of these advantages and are likely to ramp up their exploitation of cloud apps as C2 channels going forward.
“Applications like OneDrive, GitHub, DropBox, etc. are examples of cloud apps that can also present a challenge to defenders to detect if abused in a similar way,” they warned.
Read now: Telegram Boss Agrees to Closer Police Cooperation
How Golang Malware Interacts with Telegram
Netskope researchers identified mechanisms in the Golang backdoor used to interact with Telegram for C2 purposes.
The payload contains a “installSelf” function. Once executed, this function checks if the malware is running under a specific location and using a specific name – “C:\Windows\Temp\svchost.exe”.
If that is not the case, the malware reads its own content, writes it to the correct location, and creates a new process to launch a copied version before terminating itself.
Once the malware is executed in the correct location, it launches an open source Go package to interact with Telegram as its C2 mechanism.
This package uses a function called NewBotAPIWithClient, which creates a bot instance based on a provided token created by the Telegram BotFather feature.
Another function, GetUpdatesChan, is then called. This function creates a channel to keep checking if there are new commands to be executed coming from the Telegram chat.
When new commands are sent, the malware checks the length of the command and the command itself to make sure it is valid.
The Golang backdoor can support four different commands. These are:
- /cmd: Execute commands via PowerShell
- /persist: Relaunch itself under C:\Windows\Temp\svchost.exe
- /screenshot: Capture a screenshot
- /selfdestruct: Delete itself
All messages the malware sends back to the Telegram channel go via the Send package function, which is contained in a function called “sendEncrypted”.
The “/cmd” command is the only one that requires two chat messages. The first is the command itself and then the PowerShell command to be executed. After the first command is sent, the malware sends back the string “Enter the command” in Russian. It then waits for the PowerShell command to be sent and executes it.
With the other three commands, the malware sends a single message confirming the action has been completed.
The Netskope researchers will continue to monitor how this Golang backdoor evolves and the tactics, techniques and procedures (TTPs) it uses.
Image credit: kovop / Shutterstock.com
