- Netskope discovers the new rear door recreation malware, built
- Use the telegram as a C2 infrastructure to send commands
- The rear door is very likely that of Russian origin, experts warn
Researchers have warned a new rear door threat using Telegram as a command and control infrastructure (C2).
Netskope’s cybersecurity researchers observed a new built -in back door, also known as GO, a better known programming language for its simplicity, concurrence support and efficiency in the construction of scalable backend systems, cloud services and applications of applications and applications of networks.
The rear door is able to run Powershell commands, can self -destruct and verify and execute predefined commands. However, what really makes it highlight of the crowd is its C2 infrastructure: it uses a special function to create a bot instance, using a telegram API token generated through Botfather. Then, use a separate function to continually listen to incoming commands from a telegram chat. Before executing any predefined action, the malware verifies the validity of the command received.
Challenging defense
The use of Telegram or other cloud services, such as a C2 server is nothing new, the researchers explained, but it is dangerous, since it is difficult for security professionals to differentiate between the flow of malicious and benign information.
“Although the use of cloud applications such as C2 channels is not something that we see every day, it is a very effective method used by the attackers not only because there is no need to implement a complete infrastructure for it, which facilitates the life of The attackers, but also because it is because it is very difficult, from a defender’s perspective, to differentiate what a normal user is using an API and what is a communication C2, ”said Netskope in the article.
In addition to the telegram, threat actors often use OneDrive, Github, Dropbox and similar cloud applications, which hinders the lives of defenders.
Netskope did not discuss the number of potential victims, but emphasized that malware is more likely that Russian origin.
