India faces evolved cyber espionage with novel Discord hack

An espionage campaign suspected of links to Pakistan is using a novel approach to operate malware within infected Indian government systems, according to research by Volexity.

The threat actors — tracked as UTA0137 — use emojis on the messaging service Discord for C2 communications as a technique to evade text-based detection.

“Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India,” Volexity noted in the research. “Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.”

The malware used in this campaign, tracked by Volexity as DISGOMOJI, is written in Golang and is compiled for Linux-based systems.

Targeting Indian BOSS systems

According to Volexity, the campaign specifically targets a custom Linux distribution used predominantly in public systems operated by the Indian government. “Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop,” Volexity said.

The DISGOMOJI malware is planted into the victim system by initially downloading an executable and linkable format (ELF) file. The ELF file, likely dropped via phishing emails to the victim, has a PDF attachment masquerading as a Defense Service Officer Provident Fund (DSOP) form using the same acronym for the filename, DSOP.file.

The UPX-packed ELF, apart from DSOP.pdf, has the DISGOMOJI malware payload which, upon execution, reads and exfiltrates system information including IP address, username, hostname, operating system, and the current working directory. Apart from the main functions, DISGOMOJI also downloads a shell script uevent_seqnum.sh, to check for connected USB devices and copy the content of those devices to a local folder on the infected system.

The research firm, additionally, discovered the campaign occasionally using the Dirty Pipe vulnerability (tracked as CVE-2022-0847), a privilege escalation bug that affects BOSS9 systems, which has wild exploits even months after a fix was rolled out.

Discord C2 for evasion

The campaign uses a custom fork of the open source project discord-C2. The modified version of this project uses emojis in the Discord service for DISGOMOJI’s C2 communications.

Threat actors hardcode an authentication token and server ID within the ELF file, allowing access to the Discord server. The malware generates a unique channel within the Discord server for its own use, with each channel corresponding to a specific victim.

“DISGOMOJI listens for new messages in the command channel on the Discord server,” Volexity added. “C2 communication takes place using an emoji-based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable.”

The attackers have been observed using at least nine different emojis to instruct DISGOMOJI to execute critical C2 commands, as detailed in the Volexity research, while the malware itself is programmed to display two separate emojis to indicate different execution statuses – “processing” and “processed.”

Hackers use this technique, combined with a batch of “bogus strings” including informational and error strings, to misdirect analysis and avoid detection, the research points out.