A newly found Linux malware dubbed ‘DISGOMOJI’ makes use of the novel method of using emojis to execute instructions on contaminated gadgets in assaults on authorities companies in India.
The malware was found by cybersecurity agency Volexity, which believes it’s linked to a Pakistan-based risk actor often called ‘UTA0137.’
“In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137,” explains Volexity.
“Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful,” continued the researchers.
The malware is much like many different backdoors/botnets utilized in totally different assaults, permitting risk actors to execute instructions, take screenshots, steal information, deploy extra payloads, and seek for information.
Nevertheless, its use of Discord and emojis as a command and management (C2) platform makes the malware stand out from others and will permit it to bypass safety software program that appears for text-based instructions.
Discord and emojis as a C2
Based on Volexity, the malware was found after the researchers noticed a UPX-packed ELF executable in a ZIP archive, probably distributed by way of phishing emails. Volexity believes that the malware targets a customized Linux distribution named BOSS that Indian authorities companies use as their desktop.
When executed, the malware will obtain and show a PDF lure that may be a beneficiary kind from India’s Defence Service Officer Provident Fund in case of an officer’s dying.
Nevertheless, extra payloads will likely be downloaded within the background, together with the DISGOMOJI malware and a shell script named ‘uevent_seqnum.sh’ that’s used to seek for USB drives and steal information from them.
When DISGOMOJI is launched, the malware will exfiltrate system info from the machine, together with IP handle, username, hostname, working system, and the present working listing, which is shipped again to the attackers.
To manage the malware, the risk actors make the most of the open-source command and management venture discord-c2, which makes use of Discord and emojis to speak with contaminated gadgets and execute instructions.
The malware will connect with an attacker-controlled Discord server and look forward to the risk actors to kind emojis into the channel.
“DISGOMOJI listens for new messages in the command channel on the Discord server. C2 communication takes place using an emoji-based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable. While DISGOMOJI is processing a command, it reacts with a “Clock” emoji in the command message to let the attacker know the command is being processed. Once the command is fully processed, the “Clock” emoji reaction is removed and DISGOMOJI adds a “Check Mark Button” emoji as a reaction to the command message to confirm the command was executed.”
❖ Volexity
9 emojis are used to symbolize instructions to execute on an contaminated gadget, that are listed beneath.
The malware maintains persistence on the Linux gadget by utilizing the @reboot cron command to execute the malware on boot.
Volexity says they found extra variations that utilized different persistence mechanisms for DISGOMOJI and the USB information theft script, together with XDG autostart entries.
As soon as a tool is breached, the risk actors make the most of their entry to unfold laterally, steal information, and try to steal extra credentials from focused customers.
Whereas emojis might look like a “cute” novelty to the malware, they may permit it to bypass detection by safety software program that generally appears for string-based malware instructions, making this an fascinating method.
