Cybersecurity firm Volexity has recently identified a cyber espionage marketing campaign targeting Indian government agencies in 2024 using a custom Linux malware.
The newly discovered Linux malware, DISGOMOJI, has been attributed to a Pakistan-based threat actor known as UTA0137. It is written in Golang and compiled for Linux systems.
“In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137,” explains Volexity in a blog post.
“Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.”
DISGOMOJI, is a modified version of the public project Discord-C2, which utilizes the messaging service Discord for command and control (C2) operations, making use of emojis for its C2 communication.
The malware only targets Linux systems, specifically government entities in India, who use a custom Linux distribution named BOSSย as their daily desktop.
This malware is the same โall-in-oneโ espionage tool that Blackberry referenced in aย May 2024 blog post used by the Transparent Tribe actor, a Pakistani-based threat group to target the Indian government, Defense, and Aerospace sectors.
Volexity also uncovered that UTA0137 used DirtyPipe (CVE-2022-0847) privilege escalation exploits against vulnerable โBOSS 9โ systems.
The infection chain started with a UPX-packed ELF written in Golang and delivered within a ZIP file. This ELF downloaded a benign lure file, DSOP.pdf, which is the acronym for Indiaโs Defence Service Officer Provident Fund, to trick the victim.
The malware then downloads the next-stage payload, namedย vmcoreinfo, from a remote server,ย clawsindia[.]in., which is dropped in a hidden folder namedย .x86_64-linux-gnuย on the userโs system.
Once started, DISGOMOJI sends a check-in message in the channel containing the victimโs information, such as the internal IP, username, hostname, operating system, and current working directory. It maintains persistence and can survive system reboots.
DISGOMOJI preserves persistence on the system using cron jobs and can survive system reboots.
However, additional payloads will be downloaded in the background, including the DISGOMOJI malware and a script named uevent_seqnum.sh that is used to check if any USB devices are connected and, if so, steal data from them so the attacker can retrieve it later.
โDISGOMOJI listens for new messages in the command channel on the Discord server. C2 communication takes place using an emoji-based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable,” Volexity continued.
While DISGOMOJI is processing a command, it reacts with a โClockโ emoji in the command message to let the attacker know the command is being processed.
Once the command is fully processed, the โClockโ emoji reaction is removed and DISGOMOJI adds a โCheck Mark Buttonโ emoji as a reaction to the command message to confirm the command was executed.”
Nine different emoji commands are available to the attacker that can be executed on an infected device:
Volexity’s analysis revealed that UTA0137 has also been using legitimate and open-source tools post-infection, which include network scanning with Nmap, network tunneling with Chisel and Ligolo, and stage tooling and exfiltrating data using file-sharing services like oshi[.]at.
Another post-exploitation activity is UTA0137โs use of the Zenity utility to display malicious dialog boxes and socially engineer users into giving up their passwords.
“The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI. UTA0137 has improved DISGOMOJI over time,” the cybersecurity firm said.
Volexity adds that DISGOMOJI has exfiltration capabilities supporting an espionage motive, including convenient commands to steal user browser data and documents and to exfiltrate data.
It also attributes this malicious activity to a Pakistan-based threat actor โwith moderate confidenceโ based on targeting patterns and hardcoded artifacts, particularly targeting Indian government entities.
