Cybersecurity researchers have recently uncovered a new Golang-based backdoor malware that utilizes Telegram as its command-and-control (C2) mechanism. The malware, which is likely of Russian origin, is still in development but fully functional. It behaves like a backdoor once executed and begins by checking if it’s running from a specific location, “C:\Windows\Temp\svchost.exe.” If it isn’t, the malware writes itself to that location, creates a new process to run the copied version, and terminates the original instance.
A unique aspect of this malware is its use of an open-source library for Golang, which enables it to interact with the Telegram Bot API.
This allows the malware to receive commands from an actor-controlled chat channel on Telegram. Currently, it supports four commands, although only three are operational. The commands include executing PowerShell commands through “/cmd,” persisting the malware by relaunching it under the designated file path with “/persist,” and deleting itself with “/selfdestruct.”
While the “/screenshot” command is present in the code, it remains unimplemented, and researchers have noted that it sends a “Screenshot captured” message even though no screenshot is actually taken. The command-and-control infrastructure for this malware revolves around Telegram’s simplicity and its ability to enable attackers to easily set up and run attacks. The Russian origin is suggested by the use of Russian text in one of the commands, further supporting the theory that this malware may be part of a broader campaign linked to Russian threat actors.
Netskope Threat Labs highlighted the challenges that cloud apps present for defenders, with this malware leveraging Telegram as an example of how attackers are utilizing easily accessible platforms to carry out complex attacks. The ease of setting up Telegram-based C2 channels and the ability to hide the malware’s activities within legitimate traffic makes this type of attack particularly difficult to detect and mitigate.
