A suspected Pakistani threat actor, UTA0137, launched a cyberespionage campaign targeting Indian government entities using DISGOMOJI malware by leveraging a modified version of discord-c2 for command and control via emojis, likely because the attackers knew their targets were Linux desktop users.
The campaign used a known DirtyPipe vulnerability (CVE-2022-0847) to escalate privileges on vulnerable BOSS 9 systems, a unique Linux distribution that the Indian government uses, which suggests that it was a phishing tactic.
A UPX-packed GoLang ELF (ELF1) delivered in a ZIP archive exploits a vulnerability to infect the system, first displays a decoy PDF and then downloads a second-stage payload (vmcoreinfo)—a custom GoLang ELF (ELF2) variant of DISGOMOJI malware—from a remote server.
DISGOMOJI uses Discord for C2 with hardcoded credentials and creates a dedicated channel per victim.
Upon launch, it exfiltrates victim details (internal IP, username, hostname, OS, working directory) and establishes persistence via crontab. Additionally, it executes a script (uevent_seqnum.sh) to search for and copy data from any connected USB devices.
DISGOMOJI, a malware using Discord as a command-and-control (C2) server, communicates with attackers through emojis, where attackers send emoji commands along with parameters (when applicable) to the Discord channel.
The malware reacts with a “Clock” emoji while processing the command and confirms completion with a “Check Mark Button” emoji. Available commands include executing commands on the victim’s device, taking screenshots, uploading/downloading files, exfiltrating specific file types, zipping Firefox profiles, and terminating the malware itself.
Variations of DISGOMOJI:
The latest DISGOMOJI malware variant is a Golang ELF disguised as IPR documents and downloads additional scripts (LAN_Conf.sh, WAN_Conf) and a USB stealer (uevent_seqnum.sh) from a malicious server.
LAN_Conf.sh establishes persistence for DISGOMOJI and the stealer using crontabs, while WAN_Conf creates a disguised desktop shortcut (GNOME_Core.desktop) using XDG autostart to ensure automatic execution at startup.
The variant also implements improvements like preventing duplicate processes, dynamically fetching authentication details, and adding obfuscation strings.
It utilizes ps_aux to monitor the vmcoreinfo process count; if the count exceeds two, it exits and retrieves Discord credentials (server ID and authentication token) dynamically from the C2 server (ordai.quest) at runtime and stores them locally (BID1.txt and GID1.txt).
This makes it resilient to the takedown of the malicious server, as updating the C2 server reflects on the infected clients. Bogus strings like “Graphics Display Rendering” and error messages like “Error fetching Repository Key” are employed to mislead analysts.
Volexity discovered a second-stage toolset used by UTA0137 after a successful infection, including Nmap for scanning, Chisel/Ligolo for tunneling, oshi[.]at for staging and exfiltration, and Zenity for phishing.
UTA0137 also used DirtyPipe (CVE-2022-0847) to gain more access to a BOSS system. The time zone setting, infrastructure links to SideCopy, use of Punjabi language, and targeting of Indian government entities all point to a threat actor based in Pakistan.
Also Read:
.webp?w=1200&resize=1200,0&ssl=1&description=The campaign used a known DirtyPipe vulnerability (CVE-2022-0847) to escalate privileges on vulnerable BOSS 9 systems.){kind=link}