Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary’s exclusive use of a malware called DISGOMOJI that’s written in Golang and is designed to infect Linux systems.

“It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication,” it said.

It’s worth noting that DISGOMOJI is the same “all-in-one” espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew

The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document while also stealthily downloading the DISGOMOJI payload from a remote server.

A custom-fork of Discord-C2, DISGOMOJI is designed to capture host information and run commands received from an attacker-controlled Discord server. It also adopts the novel approach of sending and processing commands using different emojis -

• 🏃‍♂️ - Execute a command on the victim’s device
• 📸 - Capture a screenshot of the victim’s screen
• 👇 - Upload a file from the victim’s device to the channel
• 👈 - Upload a file from the victim’s device to transfer[.]sh
• ☝️ - Download a file to the victim’s device
• 👉 - Download a file hosted on oshi[.]at to the victim’s device
• 🔥 - Find and exfiltrate files matching the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
• 🦊 - Gather all Mozilla Firefox profiles on the victim’s device into a ZIP archive
• 💀 - Terminate the malware process on the victim’s device
• 🕐 - Inform the attacker that the command is being processed
• ✅ - Inform the attacker that the command has completed execution

“The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim,” Volexity said. “The attacker can then interact with every victim individually using these channels.”

The company said it unearthed different variations of DISGOMOJI with capabilities to establish persistence, prevent duplicate DISGOMOJI processes from running at the same time, dynamically fetch the credentials to connect to the Discord server at runtime rather than hard coding them, and deter analysis by displaying bogus informational and error messages.

UTA0137 has also been observed using legitimate and open-source tools like Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with one recent campaign also exploiting the DirtyPipe flaw (CVE-2022-0847) to achieve privilege escalation against Linux hosts.

Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box that masquerades as a Firefox update in order to socially engineer users into giving up their passwords.

“The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI,” Volexity said. “UTA0137 has improved DISGOMOJI over time.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.