Indian government organizations have been subjected to a cyberespionage campaign by suspected Pakistan-based threat operation UTA0137 that involved the targeting of Linux systems with the DISGOMOJI malware that uses emojis for command-and-control communications via Discord, The Hacker News reports.
Spearphishing emails with a ZIP archive file-based Golang ELF binary have been delivered by UTA0137 to targeted entities, with the execution of the binary triggering the downloads of a lure file and the DISGOMOJI payload, which processes emojis sent via the attacker-controlled Discord server, a report from Volexity revealed. Included in the commands supported by DISGOMOJI are command execution, file discovery and exfiltration, and malware process termination via the person running, fire, and skull emojis, respectively, said researchers, who also discovered several variants of the payload that enable persistence and dynamic credential retrieval, among others.
"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim. The attacker can then interact with every victim individually using these channels," noted Volexity.