Cyber Attack

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are considered vital; consequently, they are often compromised by attacks from threat actors.

This wide use and deployment of Linux makes it a lucrative target for threat actors who want to disrupt services and access sensitive data.

Besides this, the Linux operating system’s open-source nature enables threat actors to analyze its codebase comprehensively for potential vulnerabilities.

Cybersecurity researchers at Volexity recently discovered that Discord-based malware has been attacking the Linux systems of organizations in India.

Technical Analysis

In India, UTA0137, a suspected Pakistani-based threat actor, was found to have carried out a cyber espionage campaign against the Indian government using DISGOMOJI, a custom Linux malware.

For command and control communications over emojis, MALWARE uses the Discord messaging service.

The use of BOSS Linux distribution decoyed documents reveals that the campaign has been targeted mainly at users who are running the BOSS Linux distribution.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

UTA0137 has exploited the DirtyPipe privilege escalation vulnerability (CVE-2022-0847) in vulnerable BOSS 9 systems.

This campaign employed third-party storage services for data exfiltration and used open-source tools post-infection, which helped demonstrate its interest in conducting espionage activities against Indian governmental targets.

A portion of the PDF (Source – Volexity)

Volexity researchers examined a Golang-based ELF packed with UPX that used a harmless appearing lure PDF to distribute DISGOMOJI malware from a remote server.

Also, this is Discord-employing malware as it uses dedicated channels per victim, allowing the attacker and every victim to interact uniquely.

It receives system details, holds on using corn, may copy data from USBs, and can transfer files, consequently enabling possible information loss.

DISGOMOJI employs an emoji-based protocol for command-and-control over Discord. The attacker sends emojis to issue commands that the malware processes and acknowledges.

Emoji commands (Source – Volexity)

Recent campaigns involve UPX-packed Golang ELFs delivering lure documents while stealthily fetching DISGOMOJI, which adds persistence via cron and autostart entries, obfuscates its components, and has evolved to prevent multiple instances, and retrieves C2 data dynamically. 

It continues stealing data from connected USB devices through scripts like uevent_seqnum.sh.

DISGOMOJI checks for and exits if multiple instances are running, now fetches Discord authentication tokens and server IDs dynamically from C2 for resiliency, and contains many misleading strings likely intended to confuse analysts. 

Post-exploitation, UTA0137 utilizes network scanning with Nmap, tunneling via Chisel and Ligolo, the oshi[.]at file-sharing service, and social engineering with utilities like Zenity to trick users into revealing passwords. 

They actively explore new vulnerabilities like DirtyPipe to escalate privileges on targeted systems. 

Targeting patterns and hardcoded artifacts suggest UTA0137 is a Pakistan-based threat actor pursuing espionage, particularly against Indian government entities.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More

On a weekly basis, the cyber security newsletter is considered an essential update on information…

6 hours ago

8.5 Million Windows Systems Hit by CrowdStrike Faulty Update – Microsoft Says!

Microsoft has revealed that a faulty software update released by cybersecurity firm CrowdStrike on July…

1 day ago

Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware

On July 19, 2024, CrowdStrike identified an issue in a content update for the Falcon…

1 day ago

Alert! Hackers Exploiting CrowdStrike Issue in Cyber Attacks

Cybersecurity experts have uncovered a concerning development following the recent CrowdStrike Falcon sensor issue that…

2 days ago

10 Best Linux Firewalls In 2024

At present, many computers are connected via numerous networks. Monitoring all traffic and having something…

2 days ago

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

2 days ago