June 15, 2024 at 01:15PM
The newly discovered Linux malware named ‘DISGOMOJI’ uses emojis for executing commands on infected devices in attacks on Indian government agencies, related to a Pakistan-based threat actor known as ‘UTA0137.’ This novel approach allows the malware to potentially bypass security software. DISGOMOJI maintains persistence on devices and aims to exfiltrate sensitive information.
Based on the meeting notes, here are the key takeaways:
– A new Linux malware named ‘DISGOMOJI’ has been discovered, utilizing emojis to execute commands on infected devices in attacks on government agencies in India.
– The malware was found by cybersecurity firm Volexity, who links it to a Pakistan-based threat actor known as ‘UTA0137’.
– Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India, with successful campaigns detected.
– The malware stands out for using Discord and emojis as a command and control (C2) platform, potentially enabling it to bypass security software that looks for text-based commands.
– The malware targets a custom Linux distribution named BOSS, used by Indian government agencies as their desktop.
– Once executed, the malware exfiltrates system information and downloads additional payloads, including a shell script for stealing data from USB drives.
– The threat actors control the malware using the open-source command and control project discord-c2, communicating with infected devices by sending emojis to the command channel on a Discord server.
– The malware maintains persistence on the device by utilizing cron commands and other persistence mechanisms.
– Threat actors use their access to spread laterally, steal data, and attempt to steal additional credentials from targeted users.
This novel use of emojis enables the malware to potentially bypass security software that commonly looks for text-based malware commands, making it an interesting and concerning approach.