Discord Spy Campaign Uses Emojis to Control Malware; Exploits Old Linux Flaw

June 17, 2024

A persistent cyber threat from Pakistan is leveraging a well-known Linux vulnerability and innovative Discord-based malware to conduct cyber espionage on Indian government organizations. There have been several reports in the media about Pakistani cyber criminals conducting surveillance on the Indian government, including Operation RusticWeb, Transparent Tribe, and Celestial Force. However, the connections between these operations remain unclear.

A new group, UTA0137, has been highlighted in a recent report from Volexity. This group has effectively infiltrated its high-profile targets by exploiting the 'Dirty Pipe' Linux kernel vulnerability and using a unique tool called 'Disgomoji', described by Blackberry researchers as a comprehensive espionage tool.

Unusually, Disgomoji is controlled using emojis. This malware is a modified version of the open-source, Golang-based discord-c2 program, with Discord serving as its command center. Each infection is managed through its own Discord channel. When activated, Disgomoji sends basic user and system information to the attacker and maintains persistence through reboots via the 'cron' job scheduler. It also downloads and executes a script designed to detect and steal data from USB devices connected to the host system.

The malware is user-friendly, with attackers using simple emojis to instruct it. For instance, a camera emoji signals Disgomoji to capture and upload a screenshot of the victim's device. A fire emoji prompts the program to exfiltrate all files of certain common types, while a skull emoji terminates the malware process. Some commands require additional text-based instruction.

'It is possible some of the customizations made by UTA0137 may help bypass certain detections,' says Tom Lancaster, principal threat intelligence analyst with Volexity. 'However, the emojis gimmick likely would not make much difference regarding security software detections.'

More concerning than the use of emojis is UTA0137's exploitation of the old Linux bug, CVE-2022-0847, also known as 'Dirty Pipe'. This high-severity bug allows unauthorized users to escalate and obtain root privileges in targeted Linux systems. Despite being publicized over two years ago, this bug still affects a Linux distribution called 'BOSS', which has over 6 million downloads, predominantly in India.

Lancaster advises organizations to ensure their operating systems are updated and resistant to known vulnerabilities. As for Disgomoji, he suggests, 'Since the malware uses Discord for command and control, organizations should consider whether access to Discord is required for their users and block it if it is deemed unnecessary. Organizations that are likely to be targeted by UTA0137 may also want to audit active or recent Discord connectivity to determine if it could represent a malware infection.'

Related News

• Fortinet Addresses Critical Vulnerability in Data Analytics Solution

Latest News

• ASUS Issues Critical Firmware Update for Seven Router Models
• CISA Alerts on Windows Vulnerability Used in Ransomware Attacks
• Critical RCE Bug in Ivanti Endpoint Manager: PoC Exploit Available
• Critical Veeam Recovery Orchestrator Auth Bypass Exploit Released: Immediate Patching Required
• Rockwell's ICS Advisory Amid Rising Critical Infrastructure Threats