Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram as its command-and-control (C2) channel. Netskope Advanced Threat Protection proactively detects this threat under the identifier “Trojan.Generic.37477095.” The company emphasized the importance of monitoring such evolving threats and adapting defenses accordingly. This Go-based malware highlights how attackers are leveraging cloud applications to bypass traditional detection mechanisms. Through the GetUpdatesChan function, the malware continuously monitors a channel for incoming commands from its operators. Command outputs are sent back to the Telegram channel using an encrypted send function. For example, when executing /cmd, the malware prompts the attacker (in Russian) to enter a PowerShell command, which it then executes in hidden mode. This innovative use of cloud-based applications like Telegram for C2 communication poses significant challenges for cybersecurity defenders. While the malware appears to still be under development, it is already fully functional and capable of executing various malicious activities. This self-installation step is executed through an initialization function before the main function of the malware is called. Other cloud apps such as OneDrive, GitHub, and Dropbox could similarly be exploited in this way, making it increasingly difficult for defenders to differentiate between benign and malicious traffic. By exploiting platforms like Telegram for C2 communication, attackers simplify their operations while complicating defensive measures. Netskope Threat Labs reported that they will continue monitoring this backdoor’s development and its associated tactics, techniques, and procedures (TTPs). Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware employs an open-source Go package to interact with Telegram. It uses the NewBotAPIWithClient function to create a bot instance using a token generated via Telegram’s BotFather feature. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security. The use of cloud-based applications like Telegram as C2 channels complicates detection efforts. For additional technical details and indicators of compromise (IOCs), Netskope has made relevant data available in their GitHub repository. The malware is compiled in Golang and functions as a backdoor once executed. These platforms provide attackers with an easy-to-use infrastructure while blending malicious activity with legitimate API usage.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 15 Feb 2025 11:30:16 +0000