DISGOMOJI: New Linux Malware Uses Emojis for Command Execution
DISGOMOJI Malware Uses Emojis to Execute Commands in Cyber Attacks on Indian Government Agencies
A newly discovered Linux malware, dubbed ‘DISGOMOJI,’ employs a unique approach by using emojis to execute commands on infected devices, targeting government agencies in India. The malware, uncovered by cybersecurity firm Volexity, is believed to be linked to a Pakistan-based threat actor identified as ‘UTA0137.’
“In 2024, Volexity identified a cyber-espionage campaign conducted by a suspected Pakistan-based threat actor that Volexity tracks under the alias UTA0137,” explains the firm. “We assess with high confidence that UTA0137 has espionage-related objectives and aims to target government entities in India. Our analysis indicates that UTA0137’s campaigns have been successful.”
DISGOMOJI functions similarly to other backdoors and botnets, enabling threat actors to execute commands, capture screenshots, steal files, deploy additional payloads, and search for files. However, its use of Discord and emojis as a command and control (C2) platform distinguishes it from other malware, potentially evading security software that scans for text-based commands.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Unique C2 Mechanism: Discord and Emojis
The malware was discovered when Volexity researchers found a UPX-packed ELF executable in a ZIP archive, likely distributed via phishing emails. The malware appears to target a custom Linux distribution called BOSS, used by Indian government agencies as their desktop OS, though it can also infect other Linux distributions.
Upon execution, the malware downloads and displays a PDF lure—a beneficiary form from India’s Defence Service Officer Provident Fund. Concurrently, it downloads additional payloads, including DISGOMOJI and a shell script named ‘uevent_seqnum.sh,’ which searches for USB drives and steals data from them.
Once launched, DISGOMOJI exfiltrates system information, including IP address, username, hostname, operating system, and current working directory, sending this data back to the attackers. The threat actors control the malware using the open-source project discord-c2, which leverages Discord and emojis for communication and command execution.
DISGOMOJI connects to an attacker-controlled Discord server and awaits emoji-based commands. “DISGOMOJI listens for new messages in the command channel on the Discord server,” Volexity explains. “C2 communication uses an emoji-based protocol where the attacker sends commands via emojis, with additional parameters as needed. While processing a command, the malware reacts with a ‘Clock’ emoji to indicate progress and a ‘Check Mark Button’ emoji upon completion.”
The malware uses nine different emojis to represent various commands for execution on the infected device.
Trending: Offensive Security Tool: SecretOpt1c
Persistence and Broader Threat
DISGOMOJI maintains persistence by using the @reboot cron command, ensuring it executes upon system startup. Volexity also discovered additional versions employing other persistence mechanisms, such as XDG autostart entries, for both DISGOMOJI and the USB data theft script.
Once a device is compromised, the threat actors utilize their access to spread laterally, steal data, and attempt to capture additional credentials from targeted users. While the use of emojis in malware may seem like a novelty, it represents a sophisticated method to bypass detection by security software typically looking for string-based commands.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: www.bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
