DISGOMOJI Malware
A cyberespionage campaign targeting Indian government entities in 2024 has been attributed to a suspected threat actor based in Pakistan. Security experts are monitoring this campaign, identified as UTA0137, which employs a unique malware named DISGOMOJI. This malware, written in Golang, targets Linux systems specifically.
Table of Contents
DISGOMOJI Exploits the Legitimate Discord Platform
DISGOMOJI is a customized iteration of the public Discord-C2 project, utilizing the Discord messaging service for Command-and-Control (C2) operations, with emojis integrated for communication.
Interestingly, DISGOMOJI is the identical comprehensive espionage tool previously identified by cybersecurity researchers during an infrastructure analysis related to an attack attributed to the Transparent Tribe actor, a hacking group linked to Pakistan.
The DISGOMOJI Malware is Controlled via Discord Emojis
The attack begins with spear-phishing emails containing a Golang ELF binary enclosed within a ZIP archive. Upon execution, the binary fetches a harmless decoy document while discreetly downloading the DISGOMOJI payload from a remote server.
DISGOMOJI, a customized version of Discord-C2, is engineered to gather host data and execute commands from a Discord server controlled by the attacker. It laughs a unique method of sending and interpreting commands through various emojis:
✅ - Indicates completion of a command
💀 - Terminates the malware process on the victim's device
🏃♂️ - Executes a command on the victim's device
📸 - Takes a screenshot of the victim's screen
👇 - Uploads a file from the victim's device to the channel
☝️ - Downloads a file to the victim's device
👈 - Uploads a file from the victim's device to transfer[.]sh
👉 - Downloads a file hosted on oshi[.]at to the victim's device
🦊 - Gathers Mozilla Firefox profiles on the victim's device into a ZIP archive
🕐 - Informs the attacker that the command is being processed
🔥 - Searches for and exfiltrates files with specific extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
The malware establishes a separate channel on the Discord server for each victim, allowing the attacker to interact with each victim individually through these channels.
Different Versions of DISGOMOJI Equipped Show Variations in Capabilities
Researchers have discovered various iterations of DISGOMOJI equipped with advanced features, including the ability to establish persistence, prevent simultaneous execution of duplicate DISGOMOJI processes, dynamically retrieve credentials for Discord server connection at runtime and obfuscate analysis by presenting misleading informational and error messages.
In addition, the threat actor UTA0137 has been observed leveraging legitimate and open-source tools such as Nmap, Chisel, and Ligolo for network scanning and tunneling purposes. A recent campaign exploited the DirtyPipe vulnerability (CVE-2022-0847) to gain privilege escalation on Linux hosts. Another tactic post-exploitation involves using the Zenity utility to display a fraudulent dialog box posing as a Firefox update, aiming to deceive users into revealing their passwords.
