Title: Pakistani Threat Actors Exploit Discord and Emojis for Cyberattacks on Indian Government
In a recent surge of news reports, Pakistan is allegedly targeting Indian government entities through advanced persistent threats (APTs) utilizing Discord and emojis as command and control (C2) platforms on compromised devices. Cybersecurity firm Volexity discovered this sophisticated threat, allowing threat actors to bypass traditional text-based command detection by using emojis to execute commands and carry out various malicious activities, including monitoring government agencies in India.
The malware involved in these attacks enables threat actors to execute commands, capture screenshots, steal files, deploy additional payloads, and search for specific files on infected systems. Volexity has linked this cyber espionage campaign to a Pakistani threat actor group known as “UTA0137.”
Reportedly, Disgomoji is a modified version of an open-source Discord-C2 program based on Golang. Discord serves as the central control hub for the malware, with each infected device managed through its own communication channel.
Upon activation, Disgomoji sends basic system and user information to the attacker, restarts using a “cron” job scheduler to establish persistence, and downloads and executes a script to check and steal data from USB devices connected to the host system.
What sets Disgomoji apart is its user-friendly interface, requiring threat actors to simply use emojis for operations. For instance, a camera emoji indicates capturing and uploading screenshots, while a fire emoji triggers the program to leak files matching common file types such as CSV, DOC, JPG, PDF, RAR, XLS, ZIP, among others. An emoji of a skull terminates the malicious process.
Some operations may still necessitate further text commands. For example, a “person running” emoji is used to execute any type of command, requiring an additional parameter to specify the command’s content.
Tom Lancaster, Chief Threat Intelligence Analyst at Volexity, noted that the custom emoji usage by UTA0137 could help evade certain detection methods. However, emojis are unlikely to significantly impact the detection capabilities of security software, as other malware families also use numerical representations for commands without causing extra complexity for security solutions.
Moreover, Lancaster highlighted UTA0137’s exploitation of a longstanding Linux vulnerability in their recent activities. Researchers found that UTA0137 leveraged CVE-2022-0847, a high-severity vulnerability with a CVSS score of 7.8, commonly known as “Dirty Pipe,” that allows unauthorized users to escalate privileges and gain root access on target Linux systems. The vulnerability affects the Linux distribution “BOSS,” with over 6 million downloads, primarily in India.
Therefore, in addition to network monitoring, Lancaster emphasized the importance for enterprises to ensure their operating systems are up-to-date to better defend against known vulnerabilities. Regarding Disgomoji, he recommended companies evaluate the necessity of Discord access for their users and consider disabling the feature if deemed unnecessary.
In light of these cyber threats, businesses are advised to stay vigilant and prioritize cybersecurity measures to safeguard sensitive data and critical infrastructure from malicious actors.