- Netskope discovers a new malware for a stolen door
- He uses Telegram as C2 infrastructure to send orders
- The stolen door is probably of Russian origin, warn the experts
A new threat of a stolen door has been spotted using Telegram as command and control infrastructure (C2), researchers warned.
Netskope cybersecurity researchers observed a new stolen door built in Golang, also known as Go, a programming language better known for its simplicity, competition support and its efficiency in the construction of evolutionary backend systems, of Cloud services and networking applications.
The stolen door is capable of executing PowerShell commands, can be self-destruction and checks and executes predefined commands. However, what really makes him stand out from the crowd is his C2 infrastructure – he uses a special function to create a bot instance, using an API telegram token generated via the Botfather. Then he uses a separate function to continuously listen to the incoming controls from a telegram cat. Before performing predefined actions, malware checks the validity of the order received.
Difficult defense
The use of telegrams or other cloud services, such as C2 server, has no new, researchers have explained, but it is dangerous because it is difficult for safety professionals to differentiate the flow of information malicious and benign.
“Although using cloud applications like C2 channels is not something we see every day, it is a very effective method used by attackers not only because it is not necessary to put in Works an entire infrastructure for this, which makes life easier for attackers, but also because it is very difficult, from the defender’s point of view, to differentiate what is a normal user using an API and what is a C2 communication “Said Netskope in the article.
Besides Telegram, threat actors often use OneDrive, Github, Dropbox and similar cloud applications, which makes the lives of defenders difficult.
Netskope has not discussed the number of potential victims, but stressed that malicious software is probably of Russian origin.
