Abusing Telegram API for C2 communications
In keeping with the researchers, C2 communication being established by the malware might simply be mistaken for authentic Telegram API deployments, making its detection tough.
“Though the usage of cloud apps as C2 channels just isn’t one thing we see each day, it’s a really efficient methodology utilized by attackers not solely as a result of there’s no must implement a complete infrastructure for it, making attackers’ lives simpler, but in addition as a result of it’s very tough, from defender perspective, to distinguish what’s a traditional consumer utilizing an API and what’s a C2 communication,” researchers famous.
The backdoor makes use of Telegram as its C2 mechanism through the use of an open-source Go bundle to work together with it, the weblog publish added. It initially creates a bot occasion utilizing Telegram’s BotFather characteristic which allows creating, managing, and configuring Telegram Bots.
