- Netskope uncovers new Go-built backdoor spreading malware
- It makes use of Telegram as its C2 infrastructure to ship instructions
- The backdoor is almost certainly of Russian origin, specialists warn
A brand new backdoor risk has been noticed utilizing Telegram as its command-and-control (C2) infrastructure, researchers have warned.
Cybersecurity researchers from Netskope noticed a brand new backdoor in-built Golang, often known as Go, a programming language finest recognized for its simplicity, concurrency assist, and effectivity in constructing scalable backend methods, cloud providers, and networking purposes.
The backdoor is able to executing PowerShell instructions, can self-destruct, and checks for and executes predefined instructions. Nevertheless, what makes it actually stand out from the group is its C2 infrastructure – it makes use of a particular operate to create a bot occasion, utilizing a Telegram API token generated through Botfather. Then, it makes use of a separate operate to repeatedly hear for incoming instructions from a Telegram chat. Earlier than executing any predefined actions, the malware verifies the acquired command’s validity.
Difficult protection
Utilizing Telegram, or different cloud providers, as a C2 server is nothing new, the researchers defined, nevertheless it is harmful, because it is troublesome for safety professionals to differentiate between malicious and benign data movement.
“Though the usage of cloud apps as C2 channels is not one thing we see every single day, it’s a really efficient technique utilized by attackers not solely as a result of there’s no want to implement a complete infrastructure for it, making attackers’ lives simpler, but additionally as a result of it’s very troublesome, from a defender perspective, to differentiate what is a standard person utilizing an API and what is a C2 communication,” Netskope stated within the article.
Moreover Telegram, risk actors usually use OneDrive, GitHub, Dropbox, and related cloud apps, making defenders’ lives troublesome.
Netskope didn’t focus on the variety of potential victims, however did stress that the malware is almost certainly of Russian origin.
You may also like
Source link
#Golang #malware #hijacking #Telegram #spread
