New Linux malware is controlled via emojis sent via Discord

Goldfish

news

Just released

2051

collect

Introduction: This malware uses Discord and emojis as a command and control (C2) platform.

A newly discovered Linux malware, dubbed “DISGOMOJI,” has targeted government agencies in India using a novel method of leveraging emojis to execute commands on infected devices.

The malware was discovered by cybersecurity firm Volexity, which believes it is linked to Pakistan-based threat actor “UTA0137.”

In 2024, Volexity discovered a cyber espionage campaign suspected to be launched by a Pakistani threat actor, which Volexity is currently tracking under the alias UTA0137.

The malware is similar to many other backdoors/botnets used in different attacks, allowing the threat actors to execute commands, take screenshots, steal files, deploy other payloads, and search for files. However, its use of Discord and emojis as a command and control (C2) platform makes this malware unique and may allow it to bypass security software that looks for text-based commands.

Discord and emojis as C2

According to Volexity, researchers discovered the malware after finding a UPX-wrapped ELF executable inside a ZIP archive that was likely delivered via phishing emails.

Volexity believes the malware targets BOSS, a custom Linux distribution used as desktops by Indian government agencies, but the malware could just as easily be used to attack other Linux distributions.

When the malware is run, it downloads and displays a PDF decoy containing a beneficiary form for the Indian Defense Officers' Provident Fund, which is used in the event of the death of an officer.

However, other payloads are also downloaded in the background, including the DISGOMOJI malware and a shell script named “uevent_seqnum.sh” that searches for USB drives and steals data from them.

When DISGOMOJI is launched, the malware steals system information from the machine, including IP address, username, hostname, operating system, and current working directory, and sends this information back to the attacker.

To control the malware, the threat actors leveraged the open source command and control project discord-c2, which uses Discord and emojis to communicate with infected devices and execute commands. The malware would connect to the attacker-controlled Discord server and wait for the threat actors to enter emojis in the channel.

DISGOMOJI listens for new messages in the command channel on the Discord server. C2 communication is conducted using an emoji-based protocol, where the attacker sends commands to the malware by sending emojis to the command channel and appending additional parameters after the emojis if applicable.

When DISGOMOJI is processing a command, it reacts with a “clock” emoji in the command message to let the attacker know that the command is being processed. Once the command is fully processed, the “clock” emoji reaction is removed and DISGOMOJI adds a “check mark button” emoji as a reaction in the command message to confirm that the command was executed.

Nine emojis are used to represent commands executed on the infected device, as shown below.

The malware maintains persistence on Linux devices by using the @reboot cron command to execute the malware at boot time.

Volexity said it found other versions that leveraged other persistence mechanisms of DISGOMOJI and the USB data stealer script, including the XDG autostart entry.

Once a device is compromised, the threat actors use their access to spread laterally, steal data, and attempt to steal more credentials from the targeted users.

Article translated from: https://www.bleepingcomputer.com/news/security/new-linux-malware-is-controlled-through-emojis-sent-from-discord/ If reproduced, please indicate the original address