Ethical Hacking News
A new Golang-based backdoor has been discovered by Netskope Threat Labs, exploiting Telegram for C2 communication. The malware, which appears to be of Russian origin, poses a significant threat to individuals and organizations worldwide.
The Netskope Threat Labs has discovered a new malware campaign that uses Telegram for command and control (C2) communication. The malware is built using Golang programming language and exploits cloud applications to evade detection. The backdoor launches a new copy of itself before terminating, allowing it to remain stealthy. The malicious code communicates with Telegram using an open-source Golang package for the Bot API. The malware supports four commands: cmdExecute, persist, Relaunch, and Selfdestruct. The command \"/cmd\" has a Russian origin, but attribution is speculative. The discovery highlights the challenge of cloud apps being exploited for malicious purposes. Staying vigilant in the face of evolving threat landscapes is crucial to protect against emerging threats.
A recent discovery by Netskope Threat Labs has shed light on a sophisticated new malware campaign that leverages the Telegram messaging platform to facilitate command and control (C2) communication. The malware, which appears to be of Russian origin, is built using the Golang programming language and exploits cloud applications to evade detection.
The malicious code, identified as a backdoor, relocates itself to a predetermined location on the victim's system, "C:\Windows\Temp\svchost.exe," if it is not already present. It then launches a new copy of itself before terminating. This behavior allows the malware to remain stealthy and maintain a low profile.
The backdoor communicates with Telegram using an open-source Golang package that provides bindings for the Telegram Bot API. The library enables the creation of a bot instance, retrieval of updates, and listening for commands. The malicious code supports four different commands, but only three are fully implemented:
* cmdExecute: executes PowerShell commands
* persist: re-launches itself under a new user account
* Relaunch: relaunches itself under "C:\Windows\Temp\svchost.exe"
* Selfdestruct: deletes its file and terminates
The command "/cmd" is attributed to a Russian origin, based on the instruction "Enter the command:" being sent in Russian. This attribution is speculative, however, and requires further investigation.
Netskope Threat Labs highlights the challenge presented by cloud apps, which can be exploited for malicious purposes. The ease of use and accessibility of these applications make them attractive targets for attackers. In this case, the attackers have leveraged the Telegram platform to facilitate C2 communication, allowing them to maintain a high level of stealth.
The discovery of this new backdoor underscores the importance of staying vigilant in the face of evolving threat landscapes. As cloud-based applications continue to gain traction, it is essential for organizations and individuals alike to remain aware of potential vulnerabilities and take proactive steps to protect themselves against emerging threats.
Related Information:
https://securityaffairs.com/174306/malware/golang-based-backdoor-uses-telegram-for-c2.html
https://thehackernews.com/2025/02/new-golang-based-backdoor-uses-telegram.html
Published: Mon Feb 17 15:48:11 2025 by llama3.2 3B Q4_K_M
