Emojis are being used by Linux malware known as “DISGOMOJI” to take control of compromised machines via Discord. The malware was discovered by cybersecurity company Volexity, which also connected it to ‘UTA0137,’ a threat actor with a base in Pakistan that preys on Indian government entities.
“In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137,” the firm reported. “We assess with high confidence that UTA0137 has espionage-related objectives targeting government entities in India. Based on our analysis, UTA0137’s campaigns have been successful.”
The malware targets the BOSS Linux distribution used by Indian agencies; however, it can infect other Linux distributions as well. It was discovered within a UPX-packed ELF executable in a ZIP archive that was probably circulated by phishing emails.
Once the virus is executed, it shows a bogus PDF that appears to be a beneficiary form from the Defense Service Officer Provident Fund in India. In the background, it is covertly downloading other payloads, such as the DISGOMOJI malware and a shell script called ‘uevent_seqnum.sh’ that is used to steal data from USB drives.
DISGOMOJI sends back to the attackers the system data that has been exfiltrated, including the IP address, username, hostname, operating system, and current working directory. Via the open-source discord-c2 project, the malware facilitates command and control over Discord channels by enabling attackers to give commands via emoticons, thereby circumventing security software that looks for text-based commands.
The discovery of this virus highlights the evolving tactics used by cybercriminals to infiltrate and exploit sensitive targets. The use of legitimate-looking documents to deliver malware underscores the importance of vigilance and skepticism when handling unexpected files, even from seemingly trusted sources.
Organizations and individuals are urged to update their security protocols to include robust anti-malware solutions capable of detecting and mitigating such threats. Regular system scans, cautious handling of email attachments, and educating users about potential phishing tactics are essential steps in safeguarding against similar attacks.
In conclusion, the deceptive nature of this virus, combined with its advanced data exfiltration and command-and-control capabilities, serves as a stark reminder of the ever-present threat posed by cybercriminals. Enhanced awareness and proactive security measures are vital in defending against such sophisticated attacks.
Relevance:
First seen in India, but could pivot to all Linux forms
Recommendations:
Review if you are allowing Discord for your users.
Should Discord be blocked in your environment?
Audit any recent Discord connectivity to determine if you are at risk.
References:
Abrams, L. (2024, June 15). New Linus malware is controlled through emojis sent from Discord. Bleeping Computer. https://www.bleepingcomputer.com/news/security/new-linux-malware-is-controlled-through-emojis-sent-from-discord
How can CyberForce|Q services help you address this risk?
Our team can assist your organization in reviewing the devices on your system and determining the level of prioritization they need. We can conduct a penetration test for your organization to gain thorough understanding of the gaps within your environment. – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.