Source: Active Countermeasures Author: Faan Rossouw URL: https://www.activecountermeasures.com/threat-hunting-a-telegram-c2-channel/

ONE SENTENCE SUMMARY:

A newly discovered C2 channel exploits Telegram’s API as a backdoor, using Go programming for stealthy command-and-control operations.

MAIN POINTS:

1. A novel Command-and-Control (C2) channel was found leveraging Telegram’s API for covert communication.
2. The malware is written in Go, enhancing its cross-platform capabilities and stealth.
3. Telegram’s API provides a reliable and encrypted medium for attackers to control compromised systems.
4. This method bypasses traditional network security measures by using a legitimate service.
5. Attackers can issue commands and exfiltrate data through Telegram bots.
6. Threat actors benefit from Telegram’s anonymity and resilience to takedown efforts.
7. Detection is challenging due to the encrypted nature of Telegram communications.
8. Security teams must develop new strategies to identify and mitigate Telegram-based C2 channels.
9. Indicators of compromise (IoCs) include unusual Telegram traffic from enterprise networks.
10. Organizations should monitor for unauthorized Telegram API usage to prevent potential threats.

TAKEAWAYS:

1. Telegram’s API is increasingly exploited as a covert C2 channel by threat actors.
2. Traditional security tools may struggle to detect encrypted Telegram-based malware communications.
3. Monitoring network traffic for unusual Telegram activity can help identify potential threats.
4. Security teams should develop detection strategies specifically for Telegram-based C2 channels.
5. Proactive threat hunting is essential to mitigate the risks posed by novel C2 techniques.