A cyber espionage campaign targeting Indian government entities in 2024 has been linked to a suspected Pakistan-based threat actor.
Security company Volexity has identified the activity as UTA0137, with the attacker utilizing a malware known as DISGOMOJI, written in Golang and specially designed to infect Linux systems.
The malware is a variant of Discord-C2, utilizing Discord for command and control, and emoji symbols for communication, as explained by Volexity here.
DISGOMOJI was previously discovered by BlackBerry in connection with an attack campaign by the Transparent Tribe hacking group from Pakistan, known for its all-in-one espionage tool.
The attack involves spear-phishing emails delivering a Golang ELF binary, which then downloads the DISGOMOJI payload to gather information and execute commands via Discord.
- 🏃♂️ – Execute commands
- 📸 – Capture screenshots
- 👇 – Upload files
- 👈 – Transfer files
- ☝️ – Download files
- 👉 – Download specific files
- 🔥 – Exfiltrate files
- 🦊 – Gather browser profiles
- 💀 – Terminate malware process
The malware creates separate channels for each victim on the Discord server, allowing the attacker to interact with victims individually.
Volexity discovered various versions of DISGOMOJI with enhanced capabilities to avoid detection and establish persistence.
UTA0137 also utilizes tools like Nmap, Chisel, and Ligolo for network scanning, alongside exploiting vulnerabilities like DirtyPipe for privilege escalation.
The group uses post-exploitation tactics like social engineering with fake dialogs to lure users into disclosing their passwords.
According to Volexity, UTA0137 continues to develop DISGOMOJI for more effective cyber espionage operations.
