Pakistan-Linked Cyber Espionage Targets Indian Government with DISGOMOJI Malware
Summary of the Article:
Date: June 15, 2024
Author: Newsroom
Tags: Cyber Espionage, Malware
A Pakistan-based cyber espionage group identified as UTA0137 has been linked to attacks on Indian government entities using a sophisticated malware named DISGOMOJI. This malware, written in Golang, targets Linux systems and is a modified version of the public project Discord-C2, utilizing Discord for command and control (C2) communication via emojis.
Key Points:
- Malware Identification: DISGOMOJI, an advanced espionage tool, was discovered by cybersecurity firm Volexity, and previously noted by BlackBerry in a campaign linked to the Transparent Tribe hacking group.
- Attack Vector: The attack begins with spear-phishing emails containing a Golang ELF binary in a ZIP archive. This binary downloads both a benign document and the DISGOMOJI payload.
- Functionality:
- The malware captures host information and executes attacker commands sent via emojis from a Discord server.
- Commands include actions like executing commands, capturing screenshots, uploading/downloading files, exfiltrating specific file types, and gathering Firefox profiles.
- Each victim is represented as a dedicated channel in the attacker’s Discord server.
- Advanced Features:
- Variations of DISGOMOJI include features for persistence, prevention of duplicate processes, dynamic credential fetching, and anti-analysis mechanisms.
- Additional Tactics:
- UTA0137 utilizes tools such as Nmap for network scanning and Chisel and Ligolo for tunneling.
- The DirtyPipe flaw (CVE-2022-0847) is exploited for privilege escalation.
- Zenity utility is used to create fake Firefox update dialogs to trick users into divulging their passwords.
- Impact: The attacker has successfully infected several targets with DISGOMOJI, reflecting ongoing improvements in the malware’s capabilities.
For more information and updates, follow The Hacker News on Twitter and LinkedIn.