Cybersecurity researchers spilled light on a new back hill, which uses a telegram as a mechanism of team communications and control (C2).
The NETSKOPE threat laboratories, which describe the functions of malicious software, described it as perhaps Russian origin.
“Malicious software consists in Holong and once performs it as a back”, a security researcher Leandra Fros – Note in an analysis published last week. “Although malicious software seems to be still in development, it is quite functional.”
After launching the Backdoor is designed to check if it works in a certain place and using a specific name – “C: \ Windows \ Temp \ svchost.exe” – and if not, it reads its own contents, writes them in this place. , and creates a new process to launch a copied version and stop yourself.
A characteristic aspect of malicious software is that it uses Library with open source This offers GOLANG bindings for API Telegram Bot for C2 purposes.
This involves interaction with API Telegram Bot for new team -controlled chat teams. It supports four different teams, although now only three of them are being implemented –
- /CMD – Complete commands via PowerShell
- /Sustainable – restored in “C: \ Windows \ Temp \ svchost.exe”
- /screenshot – not implemented
- /
The exit of these teams is sent back to the Telegram channel. Netskope said the “/screenshot” team sends the “screenshot” message, despite the fact that it was not completely excluded.
The Russian roots of malicious software are explained by the fact that the instruction “/CMD” sends the message “Enter the command:” In Russian in chat.
“The use of cloud applications is a difficult problem for defenders and attackers who know about it,” Fros said. “Other aspects, such as how easy it is to install and start using the application, are examples of why attackers use applications such as in different stages of the attack.”
