FlagThis

A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.

Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.

Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.

ImgSrc: blogger.googleu

References :

• ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
• securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
• Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
• The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
• ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
• hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
• Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
• securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
• Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
• www.scworld.com: Telegram API exploited by new Golang backdoor
• Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
• securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
• Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
• www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations

Classification:

• HashTags: #Malware #Telegram #CyberSecurity
• Company: Telegram
• Target: Systems Using Telegram API
• Attacker: Netskope Threat Labs
• Product: Telegram Bot API
• Feature: command-and-control
• Malware: Golang Backdoor
• Type: Malware
• Severity: Major