{"id":22024,"date":"2025-02-21T09:06:16","date_gmt":"2025-02-21T12:06:16","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22024"},"modified":"2025-02-21T09:06:16","modified_gmt":"2025-02-21T12:06:16","slug":"backdoor-baseado-em-golang-usa-api-de-telegram","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/02\/exploits\/backdoor-baseado-em-golang-usa-api-de-telegram\/","title":{"rendered":"Backdoor baseado em Golang usa API de  Telegram"},"content":{"rendered":"\n<p class=\"story-title\"><strong>Novo backdoor baseado em Golang usa API de bot do Telegram para opera\u00e7\u00f5es evasivas de C2<\/strong><\/p>\n<p style=\"text-align: justify;\">Recentemente, pesquisadores de seguran\u00e7a cibern\u00e9tica identificaram um novo backdoor baseado em Golang que utiliza a API do Telegram como mecanismo para opera\u00e7\u00f5es de comando e controle (C2). Descoberto pela Netskope Threat Labs, o malware, possivelmente de origem russa, \u00e9 funcional e est\u00e1 em desenvolvimento ativo. Ele se destaca por sua capacidade de se comunicar com um bot do Telegram para receber comandos e executar a\u00e7\u00f5es maliciosas em sistemas comprometidos.<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Neste artigo, exploraremos como esse malware opera e forneceremos exemplos de scripts em Python que podem ser usados para mitigar ou detectar atividades suspeitas relacionadas a esse tipo de amea\u00e7a.<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><strong>Como o backdoor funciona<\/strong><\/p>\n<p style=\"text-align: justify;\">O backdoor, uma vez executado, verifica se est\u00e1 rodando em um local espec\u00edfico (<code>C:\\Windows\\Temp\\svchost.exe<\/code>). Caso contr\u00e1rio, ele se copia para esse diret\u00f3rio e cria um novo processo para se executar, encerrando a inst\u00e2ncia original. Ele utiliza uma biblioteca de c\u00f3digo aberto que oferece bindings em Golang para a API do Telegram Bot, permitindo que os atacantes enviem comandos remotamente por meio de um chat controlado por eles.<\/p>\n<p>Os comandos suportados incluem:<\/p>\n<ul>\n<li>\n<p><strong>\/cmd<\/strong>: Executa comandos via PowerShell.<\/p>\n<\/li>\n<li>\n<p><strong>\/persist<\/strong>: Relan\u00e7a o backdoor no diret\u00f3rio\u00a0<code>C:\\Windows\\Temp\\svchost.exe<\/code>.<\/p>\n<\/li>\n<li>\n<p><strong>\/screenshot<\/strong>: Ainda n\u00e3o implementado, mas envia uma mensagem de confirma\u00e7\u00e3o falsa.<\/p>\n<\/li>\n<li>\n<p><strong>\/selfdestruct<\/strong>: Exclui o arquivo\u00a0<code>C:\\Windows\\Temp\\svchost.exe<\/code>\u00a0e encerra a execu\u00e7\u00e3o.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>A sa\u00edda dos comandos \u00e9 enviada de volta ao chat do Telegram, permitindo que os atacantes monitorem e controlem o sistema comprometido.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Estrat\u00e9gias de mitiga\u00e7\u00e3o<\/strong><\/p>\n<p>Para combater esse tipo de amea\u00e7a, \u00e9 essencial adotar uma abordagem proativa, incluindo a detec\u00e7\u00e3o de atividades suspeitas e a implementa\u00e7\u00e3o de medidas preventivas. Abaixo, apresentamos exemplos de scripts em Python que podem ajudar nessa tarefa.<\/p>\n<h3>\u00a0<\/h3>\n<p><strong>1.\u00a0Monitoramento de processos suspeitos<\/strong><\/p>\n<p style=\"text-align: justify;\">O backdoor se copia para\u00a0<code>C:\\Windows\\Temp\\svchost.exe<\/code>\u00a0e cria um novo processo. Podemos monitorar processos suspeitos nesse diret\u00f3rio usando a biblioteca\u00a0<code>psutil<\/code> em Python.<\/p>\n<p>\u00a0<\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token keyword\">import<\/span> psutil\n<span class=\"token keyword\">import<\/span> os\n\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">monitor_temp_processes<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    temp_path <span class=\"token operator\">=<\/span> <span class=\"token string\">r\"C:\\Windows\\Temp\"<\/span>\n    <span class=\"token keyword\">for<\/span> proc <span class=\"token keyword\">in<\/span> psutil<span class=\"token punctuation\">.<\/span>process_iter<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">[<\/span><span class=\"token string\">'pid'<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">'name'<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">'exe'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n        <span class=\"token keyword\">try<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">if<\/span> proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'exe'<\/span><span class=\"token punctuation\">]<\/span> <span class=\"token keyword\">and<\/span> temp_path <span class=\"token keyword\">in<\/span> proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'exe'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">:<\/span>\n                <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Processo suspeito encontrado: <br \/><\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'name'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\"> (PID: <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'pid'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">)\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n        <span class=\"token keyword\">except<\/span> <span class=\"token punctuation\">(<\/span>psutil<span class=\"token punctuation\">.<\/span>NoSuchProcess<span class=\"token punctuation\">,<\/span> psutil<span class=\"token punctuation\">.<\/span>AccessDenied<span class=\"token punctuation\">,<\/span> psutil<span class=\"token punctuation\">.<\/span>ZombieProcess<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">pass<\/span>\n\n<span class=\"token keyword\">if<\/span> __name__ <span class=\"token operator\">==<\/span> <span class=\"token string\">\"__main__\"<\/span><span class=\"token punctuation\">:<\/span>\n    monitor_temp_processes<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<br \/><br \/><\/span><\/pre>\n<\/div>\n<p style=\"text-align: justify;\">Esse script verifica se h\u00e1 processos em execu\u00e7\u00e3o no diret\u00f3rio\u00a0<code>C:\\Windows\\Temp<\/code>\u00a0e alerta sobre poss\u00edveis atividades maliciosas.<\/p>\n<h3>\u00a0<\/h3>\n<p>2.\u00a0<strong>Bloqueio de comunica\u00e7\u00e3o com a API do Telegram<\/strong><\/p>\n<p style=\"text-align: justify;\">Como o backdoor usa a API do Telegram para C2, podemos bloquear tr\u00e1fego de rede para os endere\u00e7os IP associados ao Telegram. Abaixo, um exemplo de como listar conex\u00f5es de rede suspeitas:<\/p>\n<p>\u00a0<\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token keyword\">import<\/span> psutil\n\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">check_telegram_connections<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    telegram_ips <span class=\"token operator\">=<\/span> <span class=\"token punctuation\">[<\/span><span class=\"token string\">\"149.154.160.0\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">\"91.108.4.0\"<\/span><span class=\"token punctuation\">]<\/span>  <span class=\"token comment\"># Faixas de IP do Telegram<\/span>\n    <span class=\"token keyword\">for<\/span> conn <span class=\"token keyword\">in<\/span> psutil<span class=\"token punctuation\">.<\/span>net_connections<span class=\"token punctuation\">(<\/span>kind<span class=\"token operator\">=<\/span><span class=\"token string\">'inet'<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n        <span class=\"token keyword\">if<\/span> conn<span class=\"token punctuation\">.<\/span>raddr <span class=\"token keyword\">and<\/span> <span class=\"token builtin\">any<\/span><span class=\"token punctuation\">(<\/span>conn<span class=\"token punctuation\">.<\/span>raddr<span class=\"token punctuation\">.<\/span>ip<span class=\"token punctuation\">.<\/span>startswith<span class=\"token punctuation\">(<\/span>ip<span class=\"token punctuation\">)<\/span> <span class=\"token keyword\">for<\/span> ip <span class=\"token keyword\">in<\/span> telegram_ips<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Conex\u00e3o suspeita encontrada: <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>conn<span class=\"token punctuation\">.<\/span>laddr<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\"> -&gt; <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>conn<span class=\"token punctuation\">.<\/span>raddr<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n\n<span class=\"token keyword\">if<\/span> __name__ <span class=\"token operator\">==<\/span> <span class=\"token string\">\"__main__\"<\/span><span class=\"token punctuation\">:<\/span>\n    check_telegram_connections<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<br \/><br \/><\/span><\/pre>\n<\/div>\n<p>Esse script identifica conex\u00f5es de rede para os IPs do Telegram, que podem indicar comunica\u00e7\u00e3o maliciosa.<\/p>\n<h3>\u00a0<\/h3>\n<p><strong>3.\u00a0Detec\u00e7\u00e3o de comandos PowerShell suspeitos<\/strong><\/p>\n<p style=\"text-align: justify;\">O backdoor executa comandos via PowerShell. Podemos monitorar a execu\u00e7\u00e3o de comandos PowerShell suspeitos usando o m\u00f3dulo\u00a0<code>subprocess<\/code>:<\/p>\n<div class=\"md-code-block\">\n<div class=\"md-code-block-banner-wrap\">\n<div class=\"md-code-block-banner\">\n<div class=\"md-code-block-action\">\n<div class=\"ds-markdown-code-copy-button\">\u00a0<\/div>\n<\/div>\n<\/div>\n<\/div>\n<pre><span class=\"token keyword\">import<\/span> subprocess\n\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">monitor_powershell<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    command <span class=\"token operator\">=<\/span> <span class=\"token string\">\"Get-WinEvent -LogName Microsoft-Windows-PowerShell\/Operational | <br \/>Where-Object { $_.Id -eq 4104 }\"<\/span>\n    result <span class=\"token operator\">=<\/span> subprocess<span class=\"token punctuation\">.<\/span>run<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">[<\/span><span class=\"token string\">\"powershell\"<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">\"-Command\"<\/span><span class=\"token punctuation\">,<\/span> command<span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">,<\/span> capture_output<span class=\"token operator\">=<\/span><span class=\"token boolean\">True<\/span><span class=\"token punctuation\">,<\/span> <br \/>text<span class=\"token operator\">=<\/span><span class=\"token boolean\">True<\/span><span class=\"token punctuation\">)<\/span>\n    \n    <span class=\"token keyword\">if<\/span> <span class=\"token string\">\"cmd\"<\/span> <span class=\"token keyword\">in<\/span> result<span class=\"token punctuation\">.<\/span>stdout<span class=\"token punctuation\">.<\/span>lower<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n        <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string\">\"Comando suspeito detectado no log do PowerShell!\"<\/span><span class=\"token punctuation\">)<\/span>\n\n<span class=\"token keyword\">if<\/span> __name__ <span class=\"token operator\">==<\/span> <span class=\"token string\">\"__main__\"<\/span><span class=\"token punctuation\">:<\/span>\n    monitor_powershell<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<br \/><br \/><\/span><\/pre>\n<\/div>\n<p style=\"text-align: justify;\">Esse script verifica logs do PowerShell em busca de comandos suspeitos, como os enviados pelo backdoor.<\/p>\n<p>\u00a0<\/p>\n<p><strong>4.\u00a0Exclus\u00e3o de arquivos maliciosos<\/strong><\/p>\n<p style=\"text-align: justify;\">Caso o backdoor seja detectado, podemos criar um script para excluir o arquivo malicioso e interromper sua execu\u00e7\u00e3o:<\/p>\n<p>\u00a0<\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token keyword\">import<\/span> os\n<span class=\"token keyword\">import<\/span> psutil\n\n<span class=\"token keyword\">def<\/span> <span class=\"token function\">remove_malicious_file<\/span><span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n    malicious_path <span class=\"token operator\">=<\/span> <span class=\"token string\">r\"C:\\Windows\\Temp\\svchost.exe\"<\/span>\n    <span class=\"token keyword\">if<\/span> os<span class=\"token punctuation\">.<\/span>path<span class=\"token punctuation\">.<\/span>exists<span class=\"token punctuation\">(<\/span>malicious_path<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n        os<span class=\"token punctuation\">.<\/span>remove<span class=\"token punctuation\">(<\/span>malicious_path<span class=\"token punctuation\">)<\/span>\n        <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Arquivo malicioso removido: <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>malicious_path<span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n        \n        <span class=\"token comment\"># Encerra processos associados ao arquivo<\/span>\n        <span class=\"token keyword\">for<\/span> proc <span class=\"token keyword\">in<\/span> psutil<span class=\"token punctuation\">.<\/span>process_iter<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">[<\/span><span class=\"token string\">'pid'<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">'name'<\/span><span class=\"token punctuation\">,<\/span> <span class=\"token string\">'exe'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n            <span class=\"token keyword\">try<\/span><span class=\"token punctuation\">:<\/span>\n                <span class=\"token keyword\">if<\/span> proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'exe'<\/span><span class=\"token punctuation\">]<\/span> <span class=\"token operator\">==<\/span> malicious_path<span class=\"token punctuation\">:<\/span>\n                    proc<span class=\"token punctuation\">.<\/span>kill<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<\/span>\n                    <span class=\"token keyword\">print<\/span><span class=\"token punctuation\">(<\/span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Processo encerrado: PID <\/span><span class=\"token interpolation\"><span class=\"token punctuation\">{<\/span>proc<span class=\"token punctuation\">.<\/span>info<span class=\"token punctuation\">[<\/span><span class=\"token string\">'pid'<\/span><span class=\"token punctuation\">]<\/span><span class=\"token punctuation\">}<\/span><\/span><span class=\"token string\">\"<\/span><\/span><span class=\"token punctuation\">)<\/span>\n            <span class=\"token keyword\">except<\/span> <span class=\"token punctuation\">(<\/span>psutil<span class=\"token punctuation\">.<\/span>NoSuchProcess<span class=\"token punctuation\">,<\/span> psutil<span class=\"token punctuation\">.<\/span>AccessDenied<span class=\"token punctuation\">,<\/span> psutil<span class=\"token punctuation\">.<\/span>ZombieProcess<span class=\"token punctuation\">)<\/span><span class=\"token punctuation\">:<\/span>\n                <span class=\"token keyword\">pass<\/span>\n\n<span class=\"token keyword\">if<\/span> __name__ <span class=\"token operator\">==<\/span> <span class=\"token string\">\"__main__\"<\/span><span class=\"token punctuation\">:<\/span>\n    remove_malicious_file<span class=\"token punctuation\">(<\/span><span class=\"token punctuation\">)<br \/><br \/><\/span><\/pre>\n<\/div>\n<p>Esse script remove o arquivo malicioso e encerra qualquer processo associado a ele.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Conclus\u00e3o<\/strong><\/p>\n<p style=\"text-align: justify;\">O uso de aplicativos em nuvem, como o Telegram, para opera\u00e7\u00f5es de C2 representa um desafio significativo para os defensores de seguran\u00e7a cibern\u00e9tica. No entanto, com ferramentas e scripts adequados, \u00e9 poss\u00edvel detectar e mitigar essas amea\u00e7as de forma eficaz. Os exemplos de Python fornecidos neste artigo s\u00e3o um ponto de partida para fortalecer suas defesas contra backdoors baseados em Golang e outras amea\u00e7as semelhantes.<\/p>\n<p style=\"text-align: justify;\">Lembre-se de que a seguran\u00e7a cibern\u00e9tica \u00e9 um processo cont\u00ednuo. Mantenha-se atualizado sobre as \u00faltimas amea\u00e7as e adapte suas estrat\u00e9gias de defesa conforme necess\u00e1rio.<\/p>\n<p>\u00a0<\/p>\n<p>Fonte e imagens: <a href=\"https:\/\/thehackernews.com\/2025\/02\/new-golang-based-backdoor-uses-telegram.html\" target=\"_blank\" rel=\"noopener\">https:\/\/thehackernews.com\/2025\/02\/new-golang-based-backdoor-uses-telegram.html<\/a><\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>Novo backdoor baseado em Golang usa API de bot do Telegram para opera\u00e7\u00f5es evasivas de C2 Recentemente, pesquisadores de seguran\u00e7a cibern\u00e9tica identificaram um novo backdoor baseado em Golang que utiliza a API do Telegram como mecanismo para opera\u00e7\u00f5es de comando e controle (C2). Descoberto pela Netskope Threat Labs, o malware, possivelmente de origem russa, \u00e9 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":22029,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89,100,21,105],"tags":[],"class_list":["post-22024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-basico","category-diversos","category-exploits","category-noticias"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=22024"}],"version-history":[{"count":4,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22024\/revisions"}],"predecessor-version":[{"id":22028,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22024\/revisions\/22028"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/22029"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=22024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=22024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=22024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}