{"id":1972,"date":"2025-02-18T11:43:05","date_gmt":"2025-02-18T11:43:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1972"},"modified":"2025-02-18T11:43:05","modified_gmt":"2025-02-18T11:43:05","slug":"russian-malware-discovered-with-telegram-hacks-for-c2-operations","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1972","title":{"rendered":"Russian malware discovered with Telegram hacks for C2 operations"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel.<\/p>\n

Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. \u201cAs part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to take a closer look at it,\u201d Netskope researchers said in a blog post.<\/p>\n

The researchers added that the malware<\/a> (Trojan.Generic.37477095), which presently seems to be under development yet is fully functional, acts like a backdoor on execution.<\/p>\n

<\/a>Abusing Telegram API for C2 communications<\/h2>\n

According to the researchers, C2 communication being established by the malware could easily be mistaken for legitimate Telegram API<\/a> deployments, making its detection difficult.<\/p>\n

\u201cAlthough the use of cloud apps as C2 channels is not something we see every day, it\u2019s a very effective method used by attackers not only because there\u2019s no need to implement a whole infrastructure for it, making attackers\u2019 lives easier, but also because it\u2019s very difficult, from defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,\u201d researchers noted.<\/p>\n

The backdoor uses Telegram as its C2 mechanism by using an open-source Go package<\/a> to interact with it, the blog post added. It initially creates a bot instance using Telegram\u2019s BotFather feature which enables creating, managing, and configuring Telegram Bots.<\/p>\n

The malicious program then calls the GetUpdatesChan() function within the tgbotapi library, a Golang wrapper for Telegram Bot API, that allows the program to create a Telegram channel and receive C2 commands there.<\/p>\n

<\/a>Commands for code execution and persistence<\/h2>\n

The researchers said the backdoor currently accepts four C2 commands in total, which are sent to the Telegram channel via the Send package function, out of which one is yet to be implemented.<\/p>\n

The most critical is the \u201c\/cmd\u201d command for executing PowerShell codes, which can allow unauthorized access to system resources. This command is received within the Telegram channel as two separate chat messages, one being the \u201c\/cmd\u201d command itself and the other being the PowerShell command to be executed.<\/p>\n

Using the \u201c\/persist\u201d command, the malware first checks if it is being run at a specific location in the local system and, if not running already, relaunches itself and exits. A \u201cselfdestruct\u201d command is also implemented to wipe the malware out from the said location and terminate itself.<\/p>\n

There is a \u201c\/screenshot\u201d command that has been provisioned in the malware but hasn\u2019t been fully implemented, researchers said. The Netskope team has shared the IOCs and scripts related to the malware at a dedicated GitHub repository<\/a>. A few other legitimate applications like OneDrive<\/a>, Github, DropBox<\/a>, Discord<\/a>, TOR<\/a>, etc have also been abused by threat actors in the past for establishing quicker and difficult-to-detect C2 channels.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel. Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. \u201cAs part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to […]<\/p>\n","protected":false},"author":0,"featured_media":1973,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1972"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1972"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1972\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1973"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}