GITCBot: A Novel Approach for the Next Generation of C&C Malware

Abstract

Online Social Networks (OSNs) attracted millions of users in the world. OSNs made adversaries more passionate to create malware variants to subvert the cyber defence of OSNs. Through various threat vectors, adversaries persuasively lure OSN users into installing malware on their devices at an enormous scale. One of the most horrendous forms of named malware is OSNs' botnets that conceal C&C information using OSNs' accounts of unaware users. In this paper, we present GITC (Ghost In The Cloud), which uses Telegram as a C&C server to communicate with threat actors and access targets' information in an undetectable way. Furthermore, we present our implementation of GITC. We show how GITC uses the encrypted telegram Application Programming Interface (API) to cover up records of the adversary connections to the target, and we discuss why current intrusion detection systems cannot detect GITC. In the end, we run some sets of experiments that confirm the feasibility of GITC.