A new Go language backdoor uses the Telegram Bot API for concealed command control

Cybersecurity researchers recently revealed a new type of backdoor program based on the Go language, which uses Telegram as the mechanism for command and control (C2) communication. Netskope's threat lab has analyzed the functionality of the malware in detail and pointed out that it may originate from Russia.

Backdoor features and operation mechanism

Security researcher Leandro Fróes said in an analysis report released last week that 'the malware is compiled in Go language and will appear as a backdoor once executed. Although it seems to still be in the development stage, it has already been fully functional.'

After the backdoor is launched, it will check whether it is running under a specific path with a specific name 'C:\Windows\Temp\svchost.exe'. If not, it will read its own content and write it to that path, then create a new process to start the copied version and terminate itself.

Concealed communication using the Telegram Bot API

A notable feature of this malware is that it uses an open-source Go language binding library to implement command and control communication through the Telegram Bot API. Specifically, it interacts with the Telegram Bot API to receive commands from the attacker's control chat. Currently, it supports four different commands, although only three have been implemented:

• /cmd: Execute commands through PowerShell.
• /persist: Restart itself under the path 'C:\Windows\Temp\svchost.exe'.
• /screenshot: Not implemented.
• /selfdestruct: Delete the file 'C:\Windows\Temp\svchost.exe' and terminate itself.

The execution results of these commands will be sent back to the Telegram channel. Netskope points out that although the '/screenshot' command has not been fully developed, it will send a message saying 'Screenshot captured'.

Russian background and attacker strategy

The Russian background of the malware can be evidenced by the Russian message 'Enter the command:' sent through the '/cmd' command to the chat.

Fróes added, 'The use of cloud applications brings complex challenges to defenders, and attackers are also aware of this. In other aspects, such as the convenience of setting up and launching applications, one of the reasons attackers use such applications at different stages of attacks is due to this convenience.'

Through this innovative communication method, attackers can conduct remote control more discreetly, and it also highlights the new challenges brought by cloud services in the field of cybersecurity.

Reference source:

A new Golang-based backdoor uses the Telegram Bot API for evasive C2 operations