The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

DISGOMOJI Linux RAT Controlled Via Discord Emojis

Jun 24, 2024 3:02:07 PM / by The Hivemind

DISGOMOJIVerticals Targeted: Government

Executive Summary

DISGOMOJI is a RAT controlled via emojis sent over Discord. It was recently observed targeting government entities in India.

Key Takeaways

  • The threat actor UTA0137 was observed using DISGOMOJI to target Indian government entities in what appears to be an espionage campaign.
  • DISGOMOJI is unique in that it is controlled by emojis sent over the Discord messaging app.
  • While other malware has used Discord for C2 in the past, the use of emojis to send commands is a novel technique. 

What is DISGOMOJI?

A threat actor known as UTA0137 was recently observed using a new RAT to target government entities in India. The RAT, known as DISGOMOJI, is unique in that it is controlled by emojis sent over the Discord messaging app. While other malware has used Discord for C2 in the past, the use of emojis to send commands is a novel technique. Volexity reported on DISGOMOJI.

According to Volexity, UTA0137 is likely of Pakistan nexus. The group was observed using DISGOMOJI to target Indian government entities in what appears to be an espionage campaign. UTA0137 are the only threat actors known to use DISGOMOJI.

DISGOMOJI is a RAT that targets Linux systems. It is written in Golang. It is a modified version of a project known as discord-c2, which uses Discord for C2. Emojis used in the Discord messaging app are the means of command and control communication.

UTA0137 used Linux malware paired with decoy documents for initial access. The files discovered seem to indicate phishing. Volexity noted that this is an unusual approach unless the threat actors knew they were targeting Linux desktop users. In this case, the attacks were tailored for Linux systems because Indian government entities use a custom Linux distro known as BOSS. Volexity also observed UTA0137 using DirtyPipe (CVE-2022-0847) for privilege escalation on BOSS 9 systems.

The initial malware is delivered as a UPX-packed ELF within a ZIP file. The ELF downloads a decoy PDF document with a theme related to India’s Defence Service Officer Provident Fund. It then downloads the next stage payload, an instance of DISGOMOJI, from a remote server. DISGOMOJI arrives as a UPX-packed ELF. DISGOMOJI uses cron for persistence and can persist after reboot.

An authentication token and server ID are hardcoded in the ELF, allowing the malware to access the Discord server. The malware joins the server and creates a dedicated channel for itself. Each channel in a given C2 server represents an instance of the malware that has infected a victim system. Via these channels, the threat actors can interact with each victim system individually. A list of the emojis used for command and control and their corresponding commands can be found in the source report. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99

38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086

 

You can use the following CLI command to search for all DISGOMOJI samples in our portal:

$ polyswarm link list -f DISGOMOJI

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

Topics: Threat Bulletin, Espionage, India, Pakistan, Government, RAT, Discord, DISGOMOJI

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More