Linux systems, widely deployed in critical server and cloud environments, are frequent targets for malicious attacks by threat actors seeking to disrupt services and access sensitive information.
The open-source nature of Linux also exposes it to thorough scrutiny by threat actors looking for vulnerabilities in its codebase.
Recently, cybersecurity researchers at Volexity uncovered a malware campaign using Discord-based tactics to target organizations in India.
Technical Insights
In India, cybersecurity experts identified a cyber espionage campaign conducted by UTA0137, suspected to be a threat actor based in Pakistan. This campaign employed DISGOMOJI, a custom Linux malware.
DISGOMOJI utilizes Discord, a messaging platform, for command and control operations, leveraging emojis for communication.
The campaign specifically targeted users of the BOSS Linux distribution, exploiting the DirtyPipe privilege escalation vulnerability (CVE-2022-0847) present in vulnerable BOSS 9 systems.
Data exfiltration was conducted through third-party storage services, while open-source tools were used post-infection, indicating a focused interest in espionage activities against Indian governmental targets.
Volexity’s analysis revealed a Golang-based ELF packed with UPX, disguised as harmless PDF lure documents, distributed from a remote server to deliver DISGOMOJI malware.
DISGOMOJI establishes unique Discord channels per victim, allowing personalized interaction between the attacker and each compromised system.
The malware gathers system details, achieves persistence through cron jobs and autostart entries, obfuscates its components, and prevents multiple instances to avoid detection.
It can steal data from connected USB devices using scripts like uevent_seqnum.sh.
DISGOMOJI’s command-and-control protocol uses emojis, where the attacker sends commands via Discord emojis that the malware interprets and executes.
Recent iterations of the campaign involve UPX-packed Golang ELF files delivering lure documents, persisting through cron jobs, obfuscating components, dynamically fetching Discord authentication tokens and server IDs from command-and-control servers for resilience, and evading detection with misleading strings.
Post-exploitation tactics include network scanning using Nmap, tunneling through tools like Chisel and Ligolo, utilizing file-sharing services such as oshi[.]at, and employing social engineering techniques with utilities like Zenity to trick users into disclosing passwords.
UTA0137 actively seeks new vulnerabilities like DirtyPipe to escalate privileges on targeted Linux systems.
Based on targeting patterns and hardcoded artifacts, UTA0137 appears to be a Pakistan-based threat actor engaged in espionage activities, particularly targeting Indian government entities.
Source: cybersecuritynews.com
