The attackers finally turned Discord into a spy lair.
Researchers at Volexity recently linked a hacker group from Pakistan to a cyber espionage campaign targeting Indian government agencies.
The activity of this group is tracked under the code name UTA0137. Hackers use malware called DISGOMOJI, written in the Golang language and designed to infect Linux-based systems, in their attacks.
"This is a modified version of the public project Discord-C2, which uses the Discord messenger for management, using emojis to transmit malicious commands," Volexity experts report.
DISGOMOJI is a universal all-in-one espionage tool that was discovered by BlackBerry in May this year during an analysis of the infrastructure associated with Transparent Tribe, a hacker group with Pakistani roots.
Attacks start with phishing emails containing the Golang ELF executable file packed in a ZIP archive. This file downloads a harmless document while secretly downloading the DISGOMOJI payload from a remote server.
DISGOMOJI, being a custom version of Discord-C2, is designed to collect host information and execute commands received from a Discord server controlled by malicious users. It uses a unique system of commands sent using emojis.
"The malware creates a separate channel for itself on the Discord server, which means that each channel represents a separate victim," Volexity added.
The company discovered various variations of DISGOMOJI with the ability to provide resilience, prevent duplicate DISGOMOJI processes from running, dynamically obtain credentials to connect to the Discord server, and avoid analysis by displaying false information and erroneous messages.
UTA0137 also uses legitimate and open-source tools such as Nmap, Chisel, and Ligolo for network scanning and tunneling, and exploits the DirtyPipe vulnerability (CVE-2022-0847) for privilege escalation on Linux hosts.
Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box disguised as a Firefox update in order to fraudulently obtain user passwords.
"The attackers managed to infect a number of victims using their malware on Golang, DISGOMOJI," Volexity reported. "UTA0137 has improved DISGOMOJI over time."
Thus, by using seemingly harmless emoticons as commands, the attackers were able to disguise their malicious actions as innocent messaging. This unique tactic demonstrates the growing ingenuity of cybercriminals in finding new ways to circumvent security systems.
Organizations need to increase their vigilance against unconventional attack vectors, as hackers are becoming more creative in using the most unexpected tools and methods to achieve their criminal goals.
Researchers at Volexity recently linked a hacker group from Pakistan to a cyber espionage campaign targeting Indian government agencies.
The activity of this group is tracked under the code name UTA0137. Hackers use malware called DISGOMOJI, written in the Golang language and designed to infect Linux-based systems, in their attacks.
"This is a modified version of the public project Discord-C2, which uses the Discord messenger for management, using emojis to transmit malicious commands," Volexity experts report.
DISGOMOJI is a universal all-in-one espionage tool that was discovered by BlackBerry in May this year during an analysis of the infrastructure associated with Transparent Tribe, a hacker group with Pakistani roots.
Attacks start with phishing emails containing the Golang ELF executable file packed in a ZIP archive. This file downloads a harmless document while secretly downloading the DISGOMOJI payload from a remote server.
DISGOMOJI, being a custom version of Discord-C2, is designed to collect host information and execute commands received from a Discord server controlled by malicious users. It uses a unique system of commands sent using emojis.
"The malware creates a separate channel for itself on the Discord server, which means that each channel represents a separate victim," Volexity added.
The company discovered various variations of DISGOMOJI with the ability to provide resilience, prevent duplicate DISGOMOJI processes from running, dynamically obtain credentials to connect to the Discord server, and avoid analysis by displaying false information and erroneous messages.
UTA0137 also uses legitimate and open-source tools such as Nmap, Chisel, and Ligolo for network scanning and tunneling, and exploits the DirtyPipe vulnerability (CVE-2022-0847) for privilege escalation on Linux hosts.
Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box disguised as a Firefox update in order to fraudulently obtain user passwords.
"The attackers managed to infect a number of victims using their malware on Golang, DISGOMOJI," Volexity reported. "UTA0137 has improved DISGOMOJI over time."
Thus, by using seemingly harmless emoticons as commands, the attackers were able to disguise their malicious actions as innocent messaging. This unique tactic demonstrates the growing ingenuity of cybercriminals in finding new ways to circumvent security systems.
Organizations need to increase their vigilance against unconventional attack vectors, as hackers are becoming more creative in using the most unexpected tools and methods to achieve their criminal goals.
