Volexity has uncovered a new Linux malware, DISGOMOJI, that employs a unique method of using emojis to execute commands on compromised devices. This malware, attributed to the Pakistan-based threat actor UTA0137, targets Indian government agencies. Volexity’s analysis indicates that UTA0137’s espionage-related campaigns have been successful, with the malware designed to execute commands, take screenshots, steal files, and deploy additional payloads.
DISGOMOJI distinguishes itself by utilizing Discord and emojis as a command and control (C2) platform, potentially bypassing traditional security software that searches for text-based commands. The malware, distributed through phishing emails, was discovered as a UPX-packed ELF executable. It primarily targets the custom Linux distribution BOSS, used by Indian government agencies, but could also be adapted for other Linux distributions.
Once executed, the malware downloads a lure PDF from India’s Defence Service Officer Provident Fund and additional payloads, including the DISGOMOJI malware and a shell script for USB data theft. The malware exfiltrates system information to the attackers and connects to a Discord server, awaiting emoji-based commands from the threat actors. This novel approach could help the malware evade detection by security systems looking for string-based commands.
Volexity noted that DISGOMOJI maintains persistence on infected devices using the @reboot cron command, with some versions employing XDG autostart entries. The threat actors use their access to spread laterally, steal data, and acquire additional credentials. While the use of emojis might seem trivial, it represents a sophisticated method to bypass security measures, highlighting the evolving tactics of cyber threat actors.
Reference:
