Emojis Control the Malware in Discord Spy Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Emojis Control the Malware in Discord Spy Campaign


Pakistani hackers are spying (▀̿Ĺ̯▀̿ ̿) on the highly sensitive organizations in India by using emojis (Ծ_Ծ) as malicious commands (⚆ᗝ⚆) and the old Dirty Pipe Linux flaw.



An advanced persistent threat (APT) from Pakistan is using an old Linux bug and cheeky Discord-based malware to perform cyber espionage against Indian government organizations.
Much has been made in the news lately of Pakistani threat actors spying on the Indian government. First there were reports of
Operation RusticWeb
, then
Transparent Tribe
and
Celestial Force
. Researchers have yet to conclusively connect the dots between these potentially related operations.
Add to the pile UTA0137, a group described in a
new report
from Volexity. UTA0137 has been successful at compromising its high-level targets by using the
Dirty Pipe Linux kernel vulnerability
, and Disgomoji, which Blackberry researchers recently described as an all-in-one espionage tool. Disgomoji also comes with a twist: Instead of typical strings, the malware is directed using emojis.
Disgomoji is a modified version of the open source, Golang-based, autological
discord-c2
program.
Discord is its command center
, and each individual infection is managed via its own channel.
Upon activation, Disgomoji sends basic system and user information to the attacker, then establishes persistence through reboots via the cron job scheduler. It also downloads and executes a script designed to check for and steal from USB devices connected to the host system.
Disgomojis greatest trait is in how user-friendly it is. Instead of complex strings, attackers instruct it using basic emojis. For example, a camera emoji indicates that Disgomoji should capture and upload a screenshot of the victims device. A fire emoji tells the program to exfiltrate all files matching certain common file types: CVS, DOC, JPG, PDF, RAR, XLS, ZIP, etc. A skull terminates the malware process.
Some actions do require further, text-based instruction. For example, a man-running emoji is used to execute any sort of command, and it requires an additional argument that specifies exactly what the command will be.
Besides convenience and fun, the emojis dont seem to serve any significant purpose.
It is possible some of the customizations made by UTA0137 may help bypass certain detections, says Tom Lancaster, principal threat intelligence analyst with Volexity. However, the emojis gimmick likely would not make much difference regarding security software detections. There are lots of malware families that use numbers to indicate which command they should run, and the use of numbers to denote which command to run doesn’t make it more difficult for security solutions than a string meaning the same thing. The same logic applies to emojis.
More worrying than emojis, arguably, is UTA0137s latest exploitation of an old Linux bug.
In one recent campaign, researchers observed UTA0137 exploiting CVE-2022-0847, a high-severity bug with a 7.8 CVSS score. Commonly referred to as Dirty Pipe, it allows unauthorized users to escalate and obtain root privileges in targeted
Linux systems
.
Dirty Pipe should be old news by now because it was first publicized more than two years ago. However, it still affects a Linux distribution called BOSS, with more than 6 million downloads, largely in India.
So, besides network monitoring, Lancaster says, organizations need to ensure their operating systems are up to date and thereby robust to known vulnerabilities.
And regarding Disgomoji, he adds, Since the malware uses Discord for command and control, organizations should consider whether access to Discord is required for their users and block it if it is deemed unnecessary. Organizations that are likely to be targeted by UTA0137 may also want to audit active or recent Discord connectivity to determine if it could represent a malware infection.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Emojis Control the Malware in Discord Spy Campaign