Emojis Control the Malware in Discord Spy Campaign
Pakistani hackers are spying (▀̿Ĺ̯▀̿ ̿) on the highly sensitive organizations in India by using emojis (Ծ_Ծ) as malicious commands (⚆ᗝ⚆) and the old Dirty Pipe Linux flaw.
June 17, 2024
An advanced persistent threat (APT) from Pakistan is using an old Linux bug and cheeky Discord-based malware to perform cyber espionage against Indian government organizations.
Much has been made in the news lately of Pakistani threat actors spying on the Indian government. First there were reports of Operation RusticWeb, then Transparent Tribe and Celestial Force. Researchers have yet to conclusively connect the dots between these potentially related operations.
Add to the pile UTA0137, a group described in a new report from Volexity. UTA0137 has been successful at compromising its high-level targets by using the "Dirty Pipe" Linux kernel vulnerability, and "Disgomoji," which Blackberry researchers recently described as an "all-in-one" espionage tool. Disgomoji also comes with a twist: Instead of typical strings, the malware is directed using emojis.
Disgomoji ᕙ( ͡° ͜ʖ ͡°)ᕗ Malware Analysis
Disgomoji is a modified version of the open source, Golang-based, autological discord-c2 program. Discord is its command center, and each individual infection is managed via its own channel.
Upon activation, Disgomoji sends basic system and user information to the attacker, then establishes persistence through reboots via the "cron" job scheduler. It also downloads and executes a script designed to check for and steal from USB devices connected to the host system.
Disgomoji's greatest trait is in how user-friendly it is. Instead of complex strings, attackers instruct it using basic emojis. For example, a camera emoji indicates that Disgomoji should capture and upload a screenshot of the victim's device. A fire emoji tells the program to exfiltrate all files matching certain common file types: CVS, DOC, JPG, PDF, RAR, XLS, ZIP, etc. A skull terminates the malware process.
Some actions do require further, text-based instruction. For example, a man-running emoji is used to execute any sort of command, and it requires an additional argument that specifies exactly what the command will be.
Besides convenience and fun, the emojis don't seem to serve any significant purpose.
"It is possible some of the customizations made by UTA0137 may help bypass certain detections," says Tom Lancaster, principal threat intelligence analyst with Volexity. "However, the emojis gimmick likely would not make much difference regarding security software detections. There are lots of malware families that use numbers to indicate which command they should run, and the use of numbers to denote which command to run doesn’t make it more difficult for security solutions than a string meaning the same thing. The same logic applies to emojis."
More worrying than emojis, arguably, is UTA0137's latest exploitation of an old Linux bug.
Turning on the Tap for Old "Dirty Pipe" Bug
In one recent campaign, researchers observed UTA0137 exploiting CVE-2022-0847, a high-severity bug with a 7.8 CVSS score. Commonly referred to as "Dirty Pipe," it allows unauthorized users to escalate and obtain root privileges in targeted Linux systems.
Dirty Pipe should be old news by now because it was first publicized more than two years ago. However, it still affects a Linux distribution called "BOSS," with more than 6 million downloads, largely in India.
So, besides network monitoring, Lancaster says, organizations need to ensure their operating systems are up to date and thereby robust to known vulnerabilities.
And regarding Disgomoji, he adds, "Since the malware uses Discord for command and control, organizations should consider whether access to Discord is required for their users and block it if it is deemed unnecessary. Organizations that are likely to be targeted by UTA0137 may also want to audit active or recent Discord connectivity to determine if it could represent a malware infection."
About the Author
You May Also Like