A recently identified Linux malware, named ‘DISGOMOJI,’ employs an innovative method of using emojis to execute commands on compromised systems, specifically targeting government agencies in India.
Cybersecurity firm uncovered the malware, attributing it to a Pakistan-based threat actor referred to as ‘UTA0137.’ Volexity’s analysis in 2024 revealed a cyber-espionage campaign by UTA0137, which is believed to have espionage objectives aimed at Indian government entities. UTA0137’s campaigns have been notably effective.
DISGOMOJI shares functionalities with other backdoors and botnets, enabling threat actors to execute commands, capture screenshots, exfiltrate files, deploy additional payloads, and search for specific files. What distinguishes DISGOMOJI is its use of Discord and emojis as its command and control (C2) platform, a tactic that may help it evade detection by security software designed to identify text-based commands.
The discovery of DISGOMOJI began when researchers found a UPX-packed ELF executable within a ZIP archive, likely distributed through phishing emails. The malware targets BOSS, a custom Linux distribution used by Indian government agencies, although it could potentially be adapted for other Linux distributions.
Upon execution, the malware downloads and displays a decoy PDF document, a beneficiary form from India’s Defence Service Officer Provident Fund, while simultaneously downloading additional malicious payloads, including DISGOMOJI and a shell script named ‘uevent_seqnum.sh’ used to search for and steal data from USB drives.
When DISGOMOJI is activated, it exfiltrates system information, such as IP address, username, hostname, operating system, and current working directory, sending this data back to the attackers. The threat actors use the open-source command and control project discord-c2 to communicate with infected devices via Discord, employing emojis to issue commands. Nine specific emojis are used to represent different commands.
DISGOMOJI ensures persistence on the infected Linux devices using the @reboot cron command to relaunch itself at startup. Additional versions of the malware utilize other persistence mechanisms, such as XDG autostart entries, to maintain their presence.
Once a device is compromised, the threat actors exploit their access to move laterally within the network, exfiltrate data, and steal additional credentials from targeted users.
The use of emojis as command identifiers presents a novel approach that may bypass traditional security measures designed to detect string-based malware commands, making this a particularly intriguing and potentially effective method for avoiding detection.
To prevent infections from DISGOMOJI malware, organizations should implement multi-layered security measures, including advanced threat detection systems capable of identifying non-traditional command and control methods. Deploy endpoint protection solutions that monitor and block unusual behaviors and use network segmentation to limit the spread of infections.