Indian Government Targeted by Emoji-Controlled Spyware
Share
Indian government organizations are under attack from a Pakistani hacking group (APT) using a novel malware called Disgomoji. This malware leverages a combination of an old Linux vulnerability (“Dirty Pipe”) and a unique command-and-control system based on emojis within the Discord messaging platform.
Disgomoji: Espionage with a Smiley Face
Disgomoji, identified by researchers at Blackberry, is a custom-built tool designed for cyberespionage. It’s a modified version of a publicly available program and utilizes Discord servers as its control center. Each infected device is managed through a dedicated Discord channel.
Upon activation, Disgomoji gathers basic system and user information before establishing persistence by embedding itself in the system’s task scheduler. It also actively searches for and steals data from USB drives connected to the infected device.
The Emoji Advantage (or Not)
Disgomoji’s distinct feature is its user-friendly control system based on emojis. Hackers can send commands using simple emojis, such as a camera emoji for capturing screenshots or a fire emoji to steal specific file types. A skull emoji even terminates the malware process.
While seemingly whimsical, security experts believe the emojis offer little practical advantage in bypassing detection. Traditional malware might use numbers for commands, and the underlying functionality remains the same.
Dirty Pipe Vulnerability Makes a Comeback
More concerning than the emoji gimmick is UTA0137’s exploitation of a known Linux vulnerability – CVE-2022-0847, also known as Dirty Pipe. This high-severity flaw allows unauthorized users to gain full control (root access) of targeted systems.
Dirty Pipe was patched over two years ago, but it remains a threat to outdated systems, particularly those using the “BOSS” Linux distribution, popular in India with millions of downloads.
How to Avoid Future Attacks
While the emoji-based control system of Disgomoji grabs headlines, the underlying attack methods rely on common vulnerabilities. Here’s how to strengthen your defenses:
Patching is Paramount
- Prioritize Updates: Make applying security patches to operating systems (OS) a top priority. Patching promptly closes the doors exploited by Dirty Pipe and similar vulnerabilities.
- Automated Patching: Consider deploying automated patching solutions to ensure timely updates across your systems.
- Update Third-Party Software: Don’t forget to update other software like browsers, productivity tools, and security applications. Many offer automatic update options.
Securing Your Discord
- Discord Access Evaluation: Assess if your organization needs Discord access for legitimate business purposes. If not, consider blocking it entirely.
- Discord Monitoring: If Discord access is essential, implement monitoring solutions to track connections and identify suspicious activity. Look for unusual logins, high data transfer rates, or connections to unknown servers.
- User Education: Educate employees about social engineering tactics and the dangers of clicking on links or downloading files from untrusted sources, even on Discord.
By acting on these recommendations, organizations can significantly reduce the risk of falling victim to attacks like the one employed by UTA0137. Note that a layered approach combining technical controls and user education is crucial for robust cybersecurity.