- Netskope reveals new Go-built back door that spreads malware
- It uses telegram as its C2 infrastructure to send commands
- The back door is probably of Russian origin, experts warn
A new back door threat has been discovered using Telegram as its command and control (C2) infrastructure, researchers have warned.
CyberSecurity scientists from Netskope observed a new back door built in Golang, also known as GO, a programming language best known for its simplicity, concurrency support and efficiency in building scalable backend systems, cloud services and network applications.
The back door is able to perform Powershell commands, can self-destruction and control for and perform predefined commands. However, what makes it stand out from the crowd is its C2 infrastructure -it uses a special feature to create a bot instance using a telegram API token generated via botfather. Then it uses a separate feature to continuously listen to incoming commands from a telegram chat. Before performing predefined actions, Malware verifies the validity of the received command.
Challenging defense
Using Telegram or other cloud services, such as a C2 server, is nothing new, the researchers explained, but it is dangerous as it is difficult for safety roses to distinguish between malicious and benign information stream.
“Although the use of cloud apps like C2 channels is not something we see every day, it is a very effective method that attackers have not only used very difficult from a defender perspective to differentiate what is a normal User using an API and what’s a C2 Communication, ”Netskope said in the article.
In addition to telegram, threat actors often use OneDrive, GitHub, Dropbox and similar cloud apps, making defenders’ lives difficult.
Netskope did not discuss the number of potential victims, but emphasized that malware is likely to be of Russian origin.
