Cybersecurity researchers have make clear a brand new Golang-based backdoor that makes use of Telegram as a mechanism for command-and-control (C2) communications.
Netskope Risk Labs, which detailed the capabilities of the malware, described it as probably of Russian origin.
“The malware is compiled in Golang and as soon as executed it acts like a backdoor,” safety researcher Leandro Fróes said in an evaluation printed final week. “Though the malware appears to nonetheless be below improvement it’s utterly practical.”
As soon as launched, the backdoor is designed to examine if it is working below a selected location and utilizing a selected identify – “C:WindowsTempsvchost.exe” – and if not, it reads its personal contents, writes them to that location, and creates a brand new course of to launch the copied model and terminate itself.
A notable side of the malware is that it makes use of an open-source library that gives Golang bindings for the Telegram Bot API for C2 functions.
This entails interacting with the Telegram Bot API to obtain new instructions originating from an actor-controlled chat. It helps 4 totally different instructions, though solely three of them are at present applied –
- /cmd – Execute instructions through PowerShell
- /persist – Relaunch itself below “C:WindowsTempsvchost.exe”
- /screenshot – Not applied
- /selfdestruct – Delete the “C:WindowsTempsvchost.exe” file and terminate itself
The output of those instructions is shipped again to the Telegram channel. Netskope stated that the “/screenshot” command sends the message “Screenshot captured” regardless of it not being totally fleshed out.
The Russian roots of the malware are defined by the truth that the “/cmd” instruction sends the message “Enter the command:” in Russian to the chat.
“The usage of cloud apps presents a posh problem to defenders and attackers know it,” Fróes stated. “Different features akin to how straightforward it’s to set and begin using the app are examples of why attackers use functions like that in several phases of an assault.”
