Linux systems are deployed mostly in servers, in the cloud, and in environments that are considered vital; consequently, they are often compromised by attacks from threat actors.
This wide use and deployment of Linux makes it a lucrative target for threat actors who want to disrupt services and access sensitive data.
Besides this, the Linux operating system’s open-source nature enables threat actors to analyze its codebase comprehensively for potential vulnerabilities.
Cybersecurity researchers at Volexity recently discovered that Discord-based malware has been attacking the Linux systems of organizations in India.
Technical Analysis
In India, UTA0137, a suspected Pakistani-based threat actor, was found to have carried out a cyber espionage campaign against the Indian government using DISGOMOJI, a custom Linux malware.
For command and control communications over emojis, MALWARE uses the Discord messaging service.
The use of BOSS Linux distribution decoyed documents reveals that the campaign has been targeted mainly at users who are running the BOSS Linux distribution.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
UTA0137 has exploited the DirtyPipe privilege escalation vulnerability (CVE-2022-0847) in vulnerable BOSS 9 systems.
This campaign employed third-party storage services for data exfiltration and used open-source tools post-infection, which helped demonstrate its interest in conducting espionage activities against Indian governmental targets.
Volexity researchers examined a Golang-based ELF packed with UPX that used a harmless appearing lure PDF to distribute DISGOMOJI malware from a remote server.
Also, this is Discord-employing malware as it uses dedicated channels per victim, allowing the attacker and every victim to interact uniquely.
It receives system details, holds on using corn, may copy data from USBs, and can transfer files, consequently enabling possible information loss.
DISGOMOJI employs an emoji-based protocol for command-and-control over Discord. The attacker sends emojis to issue commands that the malware processes and acknowledges.
Recent campaigns involve UPX-packed Golang ELFs delivering lure documents while stealthily fetching DISGOMOJI, which adds persistence via cron and autostart entries, obfuscates its components, and has evolved to prevent multiple instances, and retrieves C2 data dynamically.
It continues stealing data from connected USB devices through scripts like uevent_seqnum.sh.
DISGOMOJI checks for and exits if multiple instances are running, now fetches Discord authentication tokens and server IDs dynamically from C2 for resiliency, and contains many misleading strings likely intended to confuse analysts.
Post-exploitation, UTA0137 utilizes network scanning with Nmap, tunneling via Chisel and Ligolo, the oshi[.]at file-sharing service, and social engineering with utilities like Zenity to trick users into revealing passwords.
They actively explore new vulnerabilities like DirtyPipe to escalate privileges on targeted systems.
Targeting patterns and hardcoded artifacts suggest UTA0137 is a Pakistan-based threat actor pursuing espionage, particularly against Indian government entities.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free