Russian malware discovered with Telegram hacks for C2 operations

Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel.

Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. “As part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to take a closer look at it,” Netskope researchers said in a blog post.

The researchers added that the malware (Trojan.Generic.37477095), which presently seems to be under development yet is fully functional, acts like a backdoor on execution.

Abusing Telegram API for C2 communications

According to the researchers, C2 communication being established by the malware could easily be mistaken for legitimate Telegram API deployments, making its detection difficult.

“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted.

The backdoor uses Telegram as its C2 mechanism by using an open-source Go package to interact with it, the blog post added. It initially creates a bot instance using Telegram’s BotFather feature which enables creating, managing, and configuring Telegram Bots.

The malicious program then calls the GetUpdatesChan() function within the tgbotapi library, a Golang wrapper for Telegram Bot API, that allows the program to create a Telegram channel and receive C2 commands there.

Commands for code execution and persistence

The researchers said the backdoor currently accepts four C2 commands in total, which are sent to the Telegram channel via the Send package function, out of which one is yet to be implemented.

The most critical is the “/cmd” command for executing PowerShell codes, which can allow unauthorized access to system resources. This command is received within the Telegram channel as two separate chat messages, one being the “/cmd” command itself and the other being the PowerShell command to be executed.

Using the “/persist” command, the malware first checks if it is being run at a specific location in the local system and, if not running already, relaunches itself and exits. A “selfdestruct” command is also implemented to wipe the malware out from the said location and terminate itself.

There is a “/screenshot” command that has been provisioned in the malware but hasn’t been fully implemented, researchers said. The Netskope team has shared the IOCs and scripts related to the malware at a dedicated GitHub repository. A few other legitimate applications like OneDrive, Github, DropBox, Discord, TOR, etc have also been abused by threat actors in the past for establishing quicker and difficult-to-detect C2 channels.