DISGOMOJI (Exploit Kit) – Malware

Overview

In June 2024, Volexity unveiled a sophisticated cyber-espionage campaign involving DISGOMOJI, a highly specialized malware crafted for targeted attacks on Indian government entities. The malware, linked to a threat actor known as UTA0137 and believed to be based in Pakistan, represents a significant evolution in cyber-espionage tactics. DISGOMOJI stands out for its unique command and control (C2) infrastructure, leveraging the Discord messaging platform to orchestrate its operations.

DISGOMOJI’s technical design incorporates elements that are both novel and alarming. Written in Golang and compiled for Linux systems, this malware utilizes a custom variant of the open-source discord-c2 project. By employing Discord for C2 communication, DISGOMOJI introduces an unusual but effective method of managing malware operations, using emojis as a means to send commands and receive data. This approach not only facilitates covert communication but also complicates detection and mitigation efforts.

The malware’s capabilities extend beyond typical espionage tools, with features designed to maintain persistence, exfiltrate data, and interact with victims in a highly controlled manner. DISGOMOJI establishes itself on infected systems using cron jobs, ensuring its survival across reboots. It also utilizes scripts to monitor and extract files from USB devices, further enhancing its data theft operations. The deployment of DISGOMOJI underscores the increasing sophistication of cyber threats targeting government sectors and highlights the need for advanced detection and defense strategies.

Targets

Individuals
Public Administration
Information

How they operate

At the core of DISGOMOJI’s operation is its use of Discord for command and control. Unlike conventional C2 infrastructures, DISGOMOJI employs Discord channels to communicate with compromised systems. Each infected machine is assigned a unique channel in a Discord server, with channel names formatted to include the victim’s operating system and username. This approach not only helps the attacker maintain individual communication lines with each victim but also leverages a popular, legitimate platform to evade detection. The malware hardcodes an authentication token and server ID into its binary to access the Discord server, creating a dedicated channel for each victim to facilitate communication and control.

DISGOMOJI’s persistence mechanisms are notably robust. The malware installs itself in a hidden directory named .x86_64-linux-gnu within the user’s home directory and utilizes cron jobs to ensure it runs at system startup. By adding a @reboot entry to the crontab, DISGOMOJI guarantees its persistence across reboots. Additionally, it downloads and executes a script named uevent_seqnum.sh, which monitors for connected USB devices. Any detected files are copied to a local folder, from which they can later be retrieved by the attacker. This combination of persistence techniques ensures that DISGOMOJI remains active and functional over extended periods.

The malware’s C2 communication is carried out using an emoji-based protocol within Discord. Commands sent by the attacker are represented as emojis, each with a specific function. For instance, the “Man Running” emoji (🏃‍♂️) is used to execute commands on the victim’s device, while the “Camera with Flash” emoji (📸) captures screenshots. Other emojis allow for file transfers, both uploading and downloading, and even exfiltrate specific file types by filtering based on their extensions. This creative use of emojis for C2 communication not only hides the malware’s activities but also avoids traditional detection methods that might focus on more conventional C2 channels.

In terms of functionality, DISGOMOJI also includes features for exfiltrating data. It collects various files from the infected system, including documents and browser profiles, and uploads them to remote file-sharing services like Oshi and Transfer.sh. This data exfiltration is managed through specific commands issued via Discord emojis, ensuring that sensitive information is systematically retrieved and transmitted to the attacker. The malware’s ability to zip and transfer Firefox profiles (🦊) and find files with specific extensions (🔥) highlights its focus on gathering valuable information efficiently.

DISGOMOJI demonstrates advanced operational capabilities through its use of obfuscation and persistence techniques. The malware’s integration with Discord for C2 and its methods for exfiltrating data reflect a high level of sophistication, aimed at evading detection while conducting thorough espionage activities. By employing a combination of unique communication methods and robust persistence strategies, DISGOMOJI continues to be a potent tool in the arsenal of cyber-espionage actors.

MITRE Tactics and Techniques

Initial Access (TA0001)

Phishing (T1566): DISGOMOJI uses decoy documents and social engineering tactics to initially gain access to victim systems, exploiting the trust placed in seemingly legitimate files.

Execution (TA0002)

Command and Scripting Interpreter (T1059): The malware uses scripts and commands executed through the Linux command line, such as BASH scripts (e.g., LAN_Conf.sh) to carry out its activities.

Persistence (TA0003)

Scheduled Task/Job (T1053): DISGOMOJI establishes persistence using cron jobs, ensuring the malware runs at specified intervals and survives system reboots.
Boot or Logon Autostart Execution (T1547): The malware also leverages XDG autostart entries to ensure it launches upon user login.

Privilege Escalation (TA0004)

Exploit Public-Facing Application (T1190): DISGOMOJI utilizes the DirtyPipe (CVE-2022-0847) privilege escalation exploit to gain elevated permissions on the compromised system.

Defense Evasion (TA0005)

Obfuscated Files or Information (T1027): The malware employs various obfuscation techniques, including the use of bogus strings and obfuscation in script files to evade detection.
Indicator Removal (T1070): By adding extensive comment characters in configuration files, DISGOMOJI attempts to obscure its presence and evade scrutiny.

Credential Access (TA0006)

Credentials from Password Stores (T1555): DISGOMOJI attempts to steal credentials by manipulating user interactions through social engineering tactics, such as fake login prompts created using the Zenity utility.

Discovery (TA0007)

Network Service Scanning (T1046): The malware uses Nmap to perform network discovery and reconnaissance on compromised networks.

Exfiltration (TA0010)

Data Staged (T1074): DISGOMOJI collects and stages data for exfiltration, including sensitive files and browser profiles, which are then uploaded to remote storage services.
Exfiltration Over Command and Control Channel (T1041): The malware uses Discord’s channels and emojis for data exfiltration, embedding files and command results within its C2 communication.

Command and Control (TA0011)

Application Layer Protocol (T1071): DISGOMOJI uses Discord’s application layer protocol for its C2 communications, exploiting the platform’s infrastructure to send and receive commands.
Multilayered C2 (T1105): The malware interacts with multiple layers of C2 channels, creating dedicated channels per victim for specific interactions and data retrieval.

References

• DISGOMOJI Malware Used to Target Indian Government