New ‘DISGOMOJI’ Linux Malware Uses Emojis for Command Execution in Attacks
A novel Linux malware, dubbed ‘DISGOMOJI,’ has been discovered employing a unique method of using emojis to execute commands on compromised systems. This malware has been targeting government agencies in India.
The cybersecurity firm Volexity identified this malware and attributes its development to a Pakistan-based threat actor, labeled ‘UTA0137.’
“In 2024, Volexity detected a cyber-espionage campaign linked to a suspected Pakistan-based threat actor, which we currently track under the alias UTA0137,” Volexity reported.
“Volexity confidently assesses that UTA0137’s objectives are espionage-related, focusing on targeting government entities in India. Our analysis indicates that UTA0137’s campaigns have achieved success,” continued the researchers.
DISGOMOJI operates similarly to other backdoors and botnets, allowing attackers to execute commands, capture screenshots, steal files, deploy additional malware, and search for files. However, its use of Discord and emojis for command and control (C2) sets it apart, potentially evading security software that typically monitors for text-based commands.
Discord and Emojis for Command and Control
Volexity uncovered this malware after identifying a UPX-packed ELF executable within a ZIP archive, likely distributed via phishing emails. The malware targets a custom Linux distribution named BOSS, used by Indian government agencies.
Upon execution, the malware downloads and displays a decoy PDF—a beneficiary form from India’s Defence Service Officer Provident Fund. Concurrently, it downloads additional payloads, including the DISGOMOJI malware and a shell script ‘uevent_seqnum.sh’ designed to search for and steal data from USB drives.
When activated, DISGOMOJI exfiltrates system information, such as IP address, username, hostname, operating system, and current working directory, back to the attackers.
The threat actors control the malware using the open-source command and control project discord-c2, which leverages Discord and emojis to communicate with infected devices. The malware connects to an attacker-controlled Discord server and awaits emoji-based commands in a specific channel.
“DISGOMOJI monitors the command channel on the Discord server for new messages. C2 communication occurs via an emoji-based protocol, where the attacker sends commands using emojis, with additional parameters following the emoji if necessary. While processing a command, DISGOMOJI reacts with a ‘Clock’ emoji to indicate the command is being executed. Once the command is complete, the ‘Clock’ emoji is replaced with a ‘Check Mark Button’ emoji to confirm execution.”
Volexity identified nine emojis representing different commands for the malware to execute on an infected device.
Persistence and Lateral Movement
The malware maintains persistence on Linux systems using the @reboot cron command to execute at startup. Volexity also discovered additional persistence mechanisms for DISGOMOJI and the USB data theft script, such as XDG autostart entries.
After breaching a device, the threat actors leverage their access to spread laterally, steal data, and attempt to obtain additional credentials from targeted users.
While the use of emojis may appear to be a quirky innovation, it poses a significant threat by potentially bypassing security software that typically searches for text-based commands, highlighting the sophistication and creativity of modern cyber-espionage tactics.
Recent Comments