A newly identified Golang backdoor utilizes Telegram for command and control (C2) operations. This malware, discovered by cybersecurity experts at Netskope, exploits Telegram's API for malicious activities. This article explores the mechanics of this threat and offers guidance on safeguarding against it.

Understanding the Golang Backdoor

The malware, identified as Trojan.Generic.37477095, appears to originate from Russia and is still potentially under development. It takes advantage of cloud services like Telegram, which are both accessible for attackers and challenging for researchers to monitor. This approach eliminates the need for dedicated attacker infrastructure, making it a preferred method for cybercriminals.

Malware Execution Process

Upon execution, the Golang-compiled malware initiates an "installSelf" function. This function verifies if it is running from the specified location and filename: "C:\Windows\Temp\svchost.exe". If not, it duplicates itself to that location, starts a new process to execute the copy, and terminates the original instance. This ensures the malware operates from the intended location before proceeding.

  • Location Verification: Checks if running from "C:\Windows\Temp\svchost.exe".
  • Self-Replication: Copies itself to the correct location if necessary.

Command and Control via Telegram

The backdoor uses an open-source Go package to interact with Telegram. It creates a bot instance using Telegram's BotFather feature and a specific token. The malware then monitors a designated Telegram chat for new commands.

Supported Commands

The malware supports four commands, with three currently implemented. It validates the length and content of received messages before execution.

  • /cmd: Executes a PowerShell command in a hidden window after receiving a two-part message.
  • /persist: Repeats the initial installation check and process, relaunching the malware.
  • /screenshot: Sends a "Screenshot captured" message, though not fully implemented.
  • /selfdestruct: Deletes the malware file and terminates the process, notifying the Telegram channel.

Implications and Defense Strategies

This exploitation of cloud applications for malicious purposes underscores the difficulties defenders face. The use of cloud apps as C2 channels is not common, but it is effective because it requires no additional infrastructure and is hard to distinguish from legitimate API use.

To protect against such threats, ensure you have up-to-date antivirus and anti-malware software installed on all devices. These solutions should be capable of detecting and blocking malicious files, including those compiled in Go.

The link has been copied!