Telegram Abused As C2 Channel For New Golang Backdoor
Thumbnail
This article details the discovery of a new Go backdoor malware suspected to originate from Russia. Utilizing Telegram as its command and control (C2) channel, the malware is fully functional albeit still under development. Its design complicates detection as it masquerades as legitimate API communications through cloud applications, exemplifying challenges faced by cybersecurity defenders. Affected: Malware, Cybersecurity Sector

Keypoints :

  • A new Go backdoor has been discovered, potentially of Russian origin.
  • The malware utilizes Telegram for command and control operations.
  • This malware is fully functional despite being under development.
  • The initial installation checks the malware’s execution location and relaunches if necessary.
  • It supports four commands, three of which are implemented.
  • The command outputs are sent back to the Telegram channel.
  • The use of cloud applications complicates detection for defenders.
  • Netskope Advanced Threat Protection detects the reported threat.
  • The repository for all related IOCs and scripts is available on GitHub.

MITRE Techniques :

  • Command and Control (T1071) – Malware uses Telegram API to send and receive commands.
  • Persistence (T1547) – The malware relaunches itself using the “installSelf” function under a specific path.
  • Execution (T1059) – Executes PowerShell commands received from Telegram.
  • Inhibition of Service (T1203) – The malware can delete itself using the /selfdestruct command.

Indicator of Compromise :

  • [Token] 8069094157:AAEyzkW_3R3C-tshfLwgdTYHEluwBxQnBuk
  • [File Path] C:WindowsTempsvchost.exe


Full Story: https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor