Commands for code execution and persistence: The researchers said the backdoor currently accepts four C2 commands in total, which are sent to the Telegram channel via the Send package function, out of which one is yet to be implemented.The most critical is the “/cmd” command for executing PowerShell codes, which can allow unauthorized access to system resources. This command is received within the Telegram channel as two separate chat messages, one being the “/cmd” command itself and the other being the PowerShell command to be executed.Using the “/persist” command, the malware first checks if it is being run at a specific location in the local system and, if not running already, relaunches itself and exits. A “selfdestruct” command is also implemented to wipe the malware out from the said location and terminate itself.There is a “/screenshot” command that has been provisioned in the malware but hasn’t been fully implemented, researchers said. The Netskope team has shared the IOCs and scripts related to the malware at a dedicated GitHub repository. A few other legitimate applications like OneDrive, Github, DropBox, Discord, TOR, etc have also been abused by threat actors in the past for establishing quicker and difficult-to-detect C2 channels.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3826808/russian-malware-discovered-with-telegram-hacks-for-c2-operations.html
