Cyber Attacks by Pakistani Hackers Using DISGOMOJI Malware Target the Indian Government

Cyber Attacks by Pakistani Hackers Using DISGOMOJI Malware Target the Indian Government

A suspected threat actor with a base in Pakistan has been connected to a cyberespionage operation that began in 2024 and targeted government agencies in India.

Volexity, a cybersecurity firm, is monitoring the activity under the alias UTA0137 and has seen that the adversary is only using DISGOMOJI, a Golang-written piece of malware that targets Linux computers.

"It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it stated.

It's important to note that DISGOMOJI is the same "all-in-one" spy tool that BlackBerry claimed to have found during an infrastructure examination related to an assault carried out by the hacker group Transparent Tribe actor, which has ties to Pakistan.

Attack chains start with spear-phishing emails that contain a Golang ELF binary that is sent as a ZIP archive. Next, the program secretly downloads the DISGOMOJI payload from a remote server along with a harmless bait document.

Discord-C2 custom-forked, DISGOMOJI is intended to perform commands from an attacker-controlled Discord server and record host information. An intriguing aspect is that the orders are transmitted as various emojis.

🏃‍♂️ - Run a command on the victim's device 

📃 - Take a screen grab of the victim 

👇 - Upload a file from the victim's device to the channel

👈 - Transfer a file to transfer[.]sh from the victim's device 

☝️ Obtain a file and download it to the victim's device. - Locate and exfiltrate files with the following extensions. 

💥- Download a file hosted on oshi[.]at to the victim's device. XLS, ZIP, RAR, SQL, TAR, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, and Create a ZIP package containing all of the Mozilla Firefox profiles on the victim's device 

🦊 - Stop the virus from running on the victim's device.

"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim," Volexity stated. "The attacker can then interact with every victim individually using these channels."

The company claimed to have discovered various DISGOMOJI variants that could be used to create persistence, stop multiple DISGOMOJI processes from executing concurrently, dynamically retrieve the credentials to connect to the Discord server at runtime instead of hardcoding them, and discourage analysis by displaying false error and informational messages.

In addition, UTA0137 has been seen use reputable, open-source programs like Ligolo, Nmap, and Chisel for network tunneling and scanning, respectively. A recent campaign also made use of the DirtyPipe vulnerability (CVE-2022-0847) to escalate privileges against Linux servers.

Using the Zenity tool to provide a malicious dialog box that looks like a Firefox update and coerces people into disclosing their passwords is another post-exploitation technique.