Hackread reports that suspected Russian threat actors have been continuously developing a novel Golang backdoor that abuses Telegram's API for command-and-control communications in place of attacker-specific infrastructure.
Execution of the payload, dubbed Trojan.Generic.37477095, triggers the "installSelf" function that ensures operation from the intended location before establishing C2 through a Telegram-interacting open-source package, according to an analysis from Netskope. Three of four commands supported by the backdoor have already been implemented, including "/cmd" allowing PowerShell command execution, "/persist" enabling malware relaunching, and "/selfdestruct" facilitating malware file removal and process termination. "Although the use of cloud apps as C2 channels is not something we see every day, it's a very effective method used by attackers not only because there's no need to implement a whole infrastructure for it, making attackers' lives easier, but also because it's very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication," said researchers.
