A sophisticated malware targeting Linux servers with emojis as the form of execution, DISGOMOJI has emerged attributed to none other than the threat actor UTA0137. Utilized as part of a cyber-espionage campaign by the Pakistan-based actor, follow along as we dive into what exactly emojis have to do with Linux servers and how these state sponsored threat actors are becoming stealthier in their attacks.
What is DISGOMOJI?
Contrary to how it sounds when pronounced, DISGOMOJI is not related to the dance phenomenon disco, but instead gets its name from the use of emojis to execute code. The malware is written in Golang, a coding language prided for its easy use, and put together for Linux servers to replicate the looks of a discord-c2 server. Discord, a popular gaming application, is the source of infection for DISGOMOJI as UTA0137 mimics C2 communication through means of emojis to target specifically Indian government organizations using BOSS, the custom Linux distribution.
Analysis:
To begin infection, a ZIP file was discovered by Volexity containing a UPX-packed ELF, 1443e58a298458c30ab91b37c0335bdadbacd756, written in Golang. After downloaded, the ELF contains a PDF for India’s Defense Service Officer Provident Fund (snippet shown below).
After the victim receives the file and it is shown to them the next step in the infection chain starts, a next-stage payload, vmcoreinfo, is downloaded from a remote server and dropped in the users’ home directory. Due to its usage of cron, a command line utility used to schedule jobs, DISGOMOJI can stay online even after a victim reboots its system by adding entries to the crontab releasing a script to copy all files from connected USBs.
Embedded in DISGOMOJI is an authentication token and server ID which are used to access the Discord server for execution. After launching the server, the malware creates different channels to represent individual victims for interaction. To trick victims, each channel has a specific name format which includes the operating system and the username of said victims. After setting up its channels, the malware executes commands by sending individual emojis through the command channel. Specific emojis, such as the clock and check mark are sent back to the attacker to let them know when a command has been first executed and then completed. Below is a list of the emojis utilized by the attacker along with descriptions for the command they execute.
Emojis used and their functions – Volexity
Post Infection:
UTA0137 has been observed utilizing a multitude of TTPs (tactics, techniques, and procedures) after the initial infection to keep its malicious intent at bay. With some of these shown utilized from the beginning of the campaign in 2023, the list includes Nmap for network scanning, file-sharing services like oshi[.] at to exfiltrate and stage data, and use of Chisel and Ligolo for quick and easy network tunneling. On a few different instances, the threat actor has been seen replicating common Firefox updates posing victims to enter their passwords to the attacker-controlled dialogue boxes. A vulnerability from the year 2022, DirtyPipe (CVE-2022-0847), is sometimes also deployed against a system to escalate root privileges.
Mitigation Techniques:
Due to the sophistication of the attack a few mitigation techniques you can implement to protect yourself would be:
- Ensure administrative privileges are set to a need-to-know basis to limit the number of potentially compromised devices.
- Understand what a phishing attack looks like as well as other types of suspicious activity and conduct training so that employees know how to prevent infection.
- Divulge your systems for proper security monitoring and protection to look out for unknown network traffic patterns and unfamiliar activity.
Indicators of Compromise (IOCs )
Hashes:
5ecbc33fe3b345f2956cff566203e33b9390a3ed9923b990a46804880ae2f59b,1c8cfa8f36897b6b1179dc4bce49b0e2f86e1a4e,52992eb3a59d7acb736cf9b607337d62
cfb9ffb83877b421e95c9a2c3f65c106b9afb42babce7ba824671f9736bf0f7c,31a1b6e836684c6d7b5d8f7a099dbe090282cbb0,49cbbf586ba1480599be02915e5a8b34
51a372fee89f885741515fa6fdf0ebce860f98145c9883f2e3e35c0fe4432885,1443e58a298458c30ab91b37c0335bdadbacd756,50fe93394528a0ede52f9eec6c1bf505
d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529,0d4111ab5471c7f5b909bff336ba8cd66f9d8630,d5f2e3fafbb0701dc0f1adccc7141e63
9709b0876c2a291cb57aa0646f9179d29d89abb2f8868663147ab0ca4e6c501b,789b41ddcee0166349cc106044932c76bfcb8cc0,de115e15a6689cf32519c3a046a78626
1cdf1f32f31e226f037fda562985e481b7aa0b809971f2e40b713b034cf1d44e,765b17c1e2e1ab3d2fbdba3ccffcdcc4bd750102,db0676733eb4ee2c490bdc4fe488b40f
1387b77a41e5a244c03ea7f5c90a2e528abe0ed7a4e6cb659183f7112c546046,465ef9d21e73493e9d531378756f91917f9567f4,da745b60b5ef5b4881c6bc4b7a48d784
26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11,8c969dbe0fe30244802cda1c8e33b04040831466,13ee4bd10f05ee0499e18de68b3ea4d5
1e657d3047f3534dcd4539ce54db9f5901f7e53999bae340a850cc8d2aacc33c,749a8d081e075b921436d07e323964da88bff609,56cc70b66be99e01d354ba2aaf88041e
fb30e5c67b92dc17d7a6e412f36d9b521842f8d7df38a00584c1362303b26655,e19c23d82d7e7e8e45b1d830ddc7ddb85087c4cc,f68b17f1261aaa4460d759d95124fbd4
5821744413146654397903128fece87d7d9d71c4ade5fd40cdcf3cece2faf8f0,c45e1cc5cd0c98388ec71221278950f9b1257ed8,3d4e5dbf9b7a6e7336a354b71d4d1a8b
2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3,d0aff8489c02230d4c0935e21125f81895bf6cde,9821c180f81512f1b72c46e462fc759a
d3d5d0b210c3fc5c679419d6aa9014f62dcd60b0582cd8d544357f6420407b36,25dc7c1237e5076c80fb867fb11d058387e1d154,e6667ab32fbda86a2d2a72ed7e52b146
c177361992b207575b9aeb98aad7c2d522eace7ada6f1351434dd79a921ce260,c1916403a6ad05fed4da5fb53ce743b6ce49e0cb,60fc5dc410b7482566a74d03549d8246
bac7e6776c120b2b5da4d171afaea26144e77ad54f7516a0325260ee020b3f52,5b7b0b0d7d59e616b0cf75a25ad67dfca89495c4,898bfd3df2ccd9508e0bfab672f5f61a
db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32,34cefe42aa8347c39a04eaca5a464fa35d6f1e62,237961bbba6d4aa2e0fae720d4ece439
4ddf0c70be0b81ab44f018521f788213de2ccf72b7a7f452f327b81172014182,caa130a8e3f5ca0a7f33de4b2b26e0e25dd10775,199c855998aedb0ce46e8d34c05eb0cb
207334927fc39278e37afe124769ed980e9a8ae86b0346408af64c86a7c99e6a,c1a80dd5be2de92a5a32d81a9fc146d4fd52ddb6,e0102071722a87f119b12434ae651b48
3d1b3ba5e1c1d1626595098f042913bc39601c80ab2c934cb994d3c053f218c5,513b4b604d198f44041ed494ee8c7a7f94ac5038,635864ff270cf8e366a7747fb5996766
0c284271e3d90a6673d84cf6291f92f32ade7c7f760bbe135880b949b38046ee,88949119f88b15722a2b75ca84db7a6bfc822948,20b4eb5787faa00474f7d27c0fea1e4b
03666fb1c21d8a8cf38219691d2218d78eef5b00d20f26c25afde5d9e1daf80a,af137c7d1481e45217abd24a96f8aa2b416d294c,3ce8dfb3f1bff805cb6b85a9e950b3a2
e89589e9ce043b28def17c91fa780322205ee08daa8b3cffe67b46bdae0e3a35,b8fd89cf6e9aae16321553a2e632e31b2cf2f057,01c34ccd7ca7c5cdf88272d8c9071004
0cb88c8b8e2969af26678df4d3c395101c49c7c808d2cb2d7a0f00f60bdddcba,892d434f3f59b3b8bd4ca500218a75d39c13ee5b,501a6d48fd8f80a134cf71db3804cf95
3845877017eb07be71820e8514502a3dcd24177540591c5ce2c13aca94caa4ac,bcadcb345fc65a9c3d7c78566ad72a77c6076a11,f14e778f4d22df275c817ac3014873dc
af2201af8054e8e11eef7980fe15dc62eb2b7582f4f2bab4d8256f23f6db984e,4e2b14b18f5d68ce3dada1061526b03eafcd50b8,c9969ece7bb47efac4b3b04cdc1538e5
db9afd2c59f20e04db37ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604,5dd201fa53cb5c76103579785a3d220d578dd12a,56cb95b63162d0dfceb30100ded1131a
6c2f18f5d70f794b8826ee2575d973ddb07cbf9d15115973fe92df74079b6412,630530b11cbde6de840d7326152c1cb6bae06e0a,fc61b985d8c590860f397d943131bfb5
2cec6bd5e9ff046771623cfa0802cacd78b7521bf61b144e9c8dfa77d994927c,6f3f3c533a2b9031362d88bb7414bf332c93dc9d,f2501e8b57486c427579eeda20b729fd
dfb72668791b4fe28884706b7756b02b951b43219e528b970ceb0369c86e3fd3,7515a93da10b7d3f4619a38cc3f1a1bd25ddb847,ee8d767069faf558886f1163a92e4009
1b1d1d775571232235ed6fb84413eb60593340c1c1ea3b77bd72d3b68058f55c,038ae7e6e6708cb58db96512515177d84b71e8c2,9f3359ae571c247a8be28c0684678304
76d9654f28bcaa713a99caa2839a572fc999a726827a0216da71ac184cee6d19,bfdd02fa593d3858399da6bf591aeb10b2d1da40,f5d8664cbf4a9e154d4a888e4384cb1d
37bfa72c2820bcf9adb8707ae624452e0b769bc1c1f2a24ebb518c6e1794f3e2,c1c3454ed5bf32f22c855b19618bcd16e6549df8,a9182c812c7f7d3e505677a57c8a353b
c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002,e5182d13d66c3efaa7676510581d622f98471895,2d4a5050c7ea6c83665807df151e067e
38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086,2dfe824d0298201e0efb30f16b3ce8a409ffe006,cd7067d58e2319ebc8ed0ecd6b61b2b6
8c8ef2d850bd9c987604e82571706e11612946122c6ab089bd54440c0113968e,e76c3f3a7158c16c28176053286dcb88ac646dbf,55c90ff429e4fd72034922383aa31078
ae59ba12ec6a42ee5b08c3e2ce91ec02071b2f5ad9338e3a19d690bd68acb860,2c99e7e8a8a2965a6581729ec5b254f1b2bbda4b,2bf596603c432fa46b494dc3edd2d30f
9c1ffafe0bb4388569fed2a8d4af591ce65ae00f47793ee97c07f686c5fab100,e1bdb995998ab338fc596777a78121fc49f002b5,9f24f757b151a1d81f714075fe7d33d4
1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99,3dff44bede709295fffd3ae3e9599f6ab8197af4,8bf9cf1363e404a9ad3e0fa9e53057cb
0b5cf9bd917f0af03dd694ff4ce39b0b34a97c9f41b87feac1dc884a684f60ef,7679f0e499edc2079a812cca945841c3680256d5,fbcd468dcd05cd1bf2ee25f16d09c227
98b24fb7aaaece7556aea2269b4e908dd79ff332ddaa5111caec49123840f364,dab2f50307c86544719ae5f72d386ac8bc4d01e3,777cbc972609d26fe6597a442cdf4589
74e0af32c47e3bbe6becfb4027bbdcc01fbe36c92c70ce8edd676cc9aa3d6437,616661c324a8dfb836bd88a3c1325dc79e030ddd,95e17125be0b0f4a4ea1b3d01cc73238
1844156b1a72a7daa8de4139175a2bdeb4bd326b9e3e1fb4dd2ae00b313b0a44,d6855190e00276cad29a31573f819558256abe7f,04a3f16c76f2e6d9eba34dd132fc8c27
fe7e7a5a1b1d634dec3fc9c6bc91c6e96ec635fece5af10cfac894fd228ca38d,9244a07ce8f961317ba49e497009e55889f1d50d,9012904377e6934797c8689b8c9268c6
ead993c1d537c239750e19a5700a58501dab319d5d271bf85137608448c1faa0,40e4b466e41b440ff62d9ef35f7034fd157ca625,b4983913d49a2a49545ebe59cd27a7d1
5ef431a481c9baeb1d8cfaf6e1c323531a57c14a5b878575b267f2f969451fdb,fc5ccb2b0a0b536ccb9687c67cc4ce735b866635,2c06e31bc2969df108697061325b2e8a
Domains:
IP Addresses:
