Cybersecurity researchers have make clear a brand new Golang-based backdoor that makes use of Telegram as a mechanism for command-and-control (C2) communications.
Netskope Risk Labs, which detailed the features of the malware, described it as probably of Russian origin.
“The malware is compiled in Golang and as soon as executed it acts like a backdoor,” safety researcher Leandro Fróes stated in an evaluation revealed final week. “Though the malware appears to nonetheless be below improvement it’s utterly purposeful.”
As soon as launched, the backdoor is designed to test if it is working below a selected location and utilizing a selected title – “C:WindowsTempsvchost.exe” – and if not, it reads its personal contents, writes them to that location, and creates a brand new course of to launch the copied model and terminate itself.
A notable side of the malware is that it makes use of an open-source library that provides Golang bindings for the Telegram Bot API for C2 functions.
This entails interacting with the Telegram Bot API to obtain new instructions originating from an actor-controlled chat. It helps 4 totally different instructions, though solely three of them are at the moment applied –
- /cmd – Execute instructions through PowerShell
- /persist – Relaunch itself below “C:WindowsTempsvchost.exe”
- /screenshot – Not applied
- /selfdestruct – Delete the “C:WindowsTempsvchost.exe” file and terminate itself
The output of those instructions is distributed again to the Telegram channel. Netskope stated that the “/screenshot” command sends the message “Screenshot captured” regardless of it not being absolutely fleshed out.
The Russian roots of the malware are defined by the truth that the “/cmd” instruction sends the message “Enter the command:” in Russian to the chat.
“The usage of cloud apps presents a fancy problem to defenders and attackers understand it,” Fróes stated. “Different points comparable to how simple it’s to set and begin the usage of the app are examples of why attackers use functions like that in numerous phases of an assault.”