close
close

Pakistani hackers use DISGOMOJI malware in cyberattacks on Indian government

June 15, 2024Press releaseCyber ​​espionage / malware

A suspected Pakistan-based threat actor has been linked to a cyberespionage campaign targeting Indian government agencies in 2024.

Cybersecurity firm Volexity is tracking the activity under the name UTA0137 and notes that the attacker exclusively uses a malware called DISGOMOJI, which is written in Golang and designed to infect Linux systems.

“It is a modified version of the public Discord-C2 project, which uses the Discord command and control (C2) messaging service and uses emojis for its C2 communications,” it said.

It is worth noting that DISGOMOJI is the same “all-in-one” spying tool that BlackBerry discovered during an infrastructure analysis related to an attack campaign by the Transparent Tribe actor, a hacker group linked to Pakistan.

Internet security

The attack chains start with spear phishing emails containing a Golang ELF binary delivered in a ZIP archive file. The binary then downloads a harmless decoy document while also secretly downloading the DISGOMOJI payload from a remote server.

DISGOMOJI is a custom fork of Discord-C2 and is designed to capture host information and execute commands received from an attacker-controlled Discord server. Interestingly, the commands are sent in the form of various emojis –

  • 🏃‍♂️ – Execute a command on the victim’s device
  • 📸 – Take a screenshot of the victim’s screen
  • 👇 – Upload a file from the victim’s device to the channel
  • 👈 – Upload a file from the victim’s device to transfer(.)sh
  • ☝️ – Download a file to the victim’s device
  • 👉 – Download a file hosted on oshi(.)at to the victim’s device
  • 🔥 – Search and exfiltrate files with the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS and ZIP
  • 🦊 – Collect all Mozilla Firefox profiles on the victim’s device in a ZIP archive
  • 💀 – Terminate the malware process on the victim’s device

“The malware creates its own channel in the Discord server, meaning that each channel in the server represents a single victim,” Volexity said. “The attacker can then interact with each victim individually through these channels.”

DISGOMOJI malware

The company said it discovered different DISGOMOJI variants that have the following capabilities: establishing persistence, preventing duplicate DISGOMOJI processes from running simultaneously, dynamically retrieving the credentials for connecting to the Discord server at runtime (without hard-coding them), and preventing analytics by displaying false information and error messages.

Internet security

UTA0137 has also been observed using legitimate and open-source tools such as Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with a recent campaign also exploiting the DirtyPipe vulnerability (CVE-2022-0847) to achieve privilege escalation on Linux hosts.

Another post-exploitation tactic uses the Zenity utility to display a malicious dialog box disguised as a Firefox update, with the goal of social engineering users into revealing their passwords.

“The attacker managed to infect a number of victims with its Golang malware DISGOMOJI,” Volexity said. “UTA0137 has improved DISGOMOJI over time.”

Did you find this article interesting? Follow us on Þjórsárdalur and LinkedIn to read more exclusive content we publish.