TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

DISGOMOJI Malware Used to Target Indian Government

mindgrub · 2024-06-13 · Read original ↗

ATT&CK techniques detected

33 predictions
T1027.002Software Packing
98%
“packed elf written in golang that was delivered within a zip file, md5 : 1443e58a298458c30ab91b37c0335bdadbacd756 2 disgomoji, also a upx - packed elf written in golang ; md5 : 0d4111ab5471c7f5b909bff336ba8cd66f9d8630 3 recent disgomoji variation, a upx - packed elf file written …”
T1057Process Discovery
98%
“is likely an attempt to confuse anyone examining its contents. the actual main content of this file is shown below : finally, in this newer chain the resulting disgomoji sample6 shows improvements on the older samples, including the following : functionality has been added to pre…”
T1068Exploitation for Privilege Escalation
97%
“: in a recent campaign, volexity noticed uta0137 deploying the dirtypipe ( cve - 2022 - 0847 ) privilege - escalation exploit against a system. volexity sought to determine why the threat actor was deploying a vulnerability from 2022. after downloading the latest iso of the boss …”
T1068Exploitation for Privilege Escalation
97%
“##aging a preinstalled utility named zenity. uta0137 issued multiple commands that pop up a dialog box on the user ’ s system, masquerading as a firefox update : in a recent campaign, volexity noticed uta0137 deploying the dirtypipe ( cve - 2022 - 0847 ) privilege - escalation ex…”
T1057Process Discovery
96%
“again, and disgomoji counts the number of vmcoreinfo processes running by counting occurrences of vmcoreinfo and / usr / bin / vmcoreinfostrings in ps _ output. txt. if the combined number of occurrences of both strings is greater than two, then disgomoji will not run ; it will e…”
T1048Exfiltration Over Alternative Protocol
96%
“index pointing up upload a file to the victim ’ s device. the file to upload is attached along with this emoji. backhand index pointing right upload a file from the victim ’ s device to oshi ( oshi [. ] at ), a remote file - storage service. this command receives an argument, whi…”
T1102.002Bidirectional Communication
94%
“be retrieved later by attacker. commands disgomoji listens for new messages in the command channel on the discord server. c2 communication takes place using an emoji - based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with a…”
T1048Exfiltration Over Alternative Protocol
93%
“attachment. backhand index pointing down download files from the victim ’ s device and upload them to the command channel as attachments. this command receives one argument, which is the path of the file. index pointing up upload a file to the victim ’ s device. the file to uploa…”
T1204.002Malicious File
88%
“elf1 written in golang that was delivered within a zip file. this elf downloads a benign lure file, dsop. pdf, that is displayed to the victim ; dsop is the acronym for india ’ s defence service officer provident fund. a portion of the pdf is shown below : the malware then downlo…”
T1572Protocol Tunneling
78%
“the c2, it prints an error string “ error fetching repository key : % v “. similarly, when it fails to retrieve the server id, it prints “ error fetching dpkg : % v “. uta 0137 post infection behavior volexity was able to uncover a number of second - stage tools used by uta0137 f…”
T1204.002Malicious File
76%
“access paired with decoy documents ( suggesting a phishing context ) is uncommon, as the attacker would only do this if they know the target is a linux desktop user. volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards govern…”
T1102.002Bidirectional Communication
70%
“sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable. while disgomoji is processing a command, it reacts with a “ clock ” emoji ( ) in the command message to let the attacker know the command is be…”
T1567Exfiltration Over Web Service
61%
“index pointing up upload a file to the victim ’ s device. the file to upload is attached along with this emoji. backhand index pointing right upload a file from the victim ’ s device to oshi ( oshi [. ] at ), a remote file - storage service. this command receives an argument, whi…”
T1547.013XDG Autostart Entries
60%
“sh is to download a copy of the disgomoji malware from ordai [. ] quest / vmcoreinfo. lan _ conf. sh also adds crontab entries for itself and the disgomoji malware. volexity observed that lan _ conf. sh also downloads and adds crontab entries for the usb - stealing script uevent …”
T1572Protocol Tunneling
60%
“routine in order to throw off anyone looking at the strings. this finding can further be confirmed by looking at some error strings. for example, when the malware is unable to retrieve the discord token from the c2, it prints an error string “ error fetching repository key : % v …”
T1102.002Bidirectional Communication
59%
“public project discord - c2, which uses the messaging service discord for command and control ( c2 ), making use of emojis for its c2 communication. the use of linux malware for initial access paired with decoy documents ( suggesting a phishing context ) is uncommon, as the attac…”
T1547.013XDG Autostart Entries
56%
“a bash script whose contents are shown below : the obfuscation used matches a common format used by uta0137 in campaigns dating back to mid - 2023. the purpose of lan _ conf. sh is to download a copy of the disgomoji malware from ordai [. ] quest / vmcoreinfo. lan _ conf. sh also…”
T1567Exfiltration Over Web Service
53%
“attachment. backhand index pointing down download files from the victim ’ s device and upload them to the command channel as attachments. this command receives one argument, which is the path of the file. index pointing up upload a file to the victim ’ s device. the file to uploa…”
T1102.003One-Way Communication
50%
“to access the discord server. the malware creates a dedicated channel for itself in the discord server, meaning each channel in the server represents an individual victim. the attacker can then interact with every victim individually using these channels. the channel name format …”
T1566.001Spearphishing Attachment
46%
“elf1 written in golang that was delivered within a zip file. this elf downloads a benign lure file, dsop. pdf, that is displayed to the victim ; dsop is the acronym for india ’ s defence service officer provident fund. a portion of the pdf is shown below : the malware then downlo…”
T1572Protocol Tunneling
46%
“who mainly targets government organizations. the attacker successfully managed to infect a number of victims with their golang malware, disgomoji. this malware is built on the existing open - source project discord - c2, and the attacker has expanded on existing code to add conve…”
T1204.002Malicious File
46%
“##t, rar, sql, tar, xls, zip fox zip all firefox profiles on the victim ’ s device. these files can be retrieved by the attacker at a later time. skull terminate the malware process using os. exit ( ). disgomoji variations over time, there have been various variations of the disg…”
T1204.002Malicious File
41%
“third - party storage services used to exfiltrate data ; linux persistence techniques ; and open - source tools used after successful infection. analysis volexity ’ s analysis started with a upx - packed elf1 written in golang that was delivered within a zip file. this elf downlo…”
T1102.003One-Way Communication
40%
“_ control / bid1. txt discord server id https [ : ] / / ordai [. ] quest / admin _ control / gid1. txt this new mechanism makes it more difficult for discord to disrupt disgomoji ’ s operations. even if the malicious discord server is banned or the token revoked, it allows uta013…”
T1204.002Malicious File
40%
“terminate the malware process using os. exit ( ). disgomoji variations over time, there have been various variations of the disgomoji malware used by uta0137. another campaign which illustrates the most recent variation involved another upx - packed elf3, which is written in gola…”
T1566.001Spearphishing Attachment
38%
“third - party storage services used to exfiltrate data ; linux persistence techniques ; and open - source tools used after successful infection. analysis volexity ’ s analysis started with a upx - packed elf1 written in golang that was delivered within a zip file. this elf downlo…”
T1546.004Unix Shell Configuration Modification
38%
“sh is to download a copy of the disgomoji malware from ordai [. ] quest / vmcoreinfo. lan _ conf. sh also adds crontab entries for itself and the disgomoji malware. volexity observed that lan _ conf. sh also downloads and adds crontab entries for the usb - stealing script uevent …”
T1095Non-Application Layer Protocol
35%
“be retrieved later by attacker. commands disgomoji listens for new messages in the command channel on the discord server. c2 communication takes place using an emoji - based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with a…”
T1041Exfiltration Over C2 Channel
35%
“attachment. backhand index pointing down download files from the victim ’ s device and upload them to the command channel as attachments. this command receives one argument, which is the path of the file. index pointing up upload a file to the victim ’ s device. the file to uploa…”
T1027.002Software Packing
34%
“##756 2 disgomoji, also a upx - packed elf written in golang ; md5 : 0d4111ab5471c7f5b909bff336ba8cd66f9d8630 3 recent disgomoji variation, a upx - packed elf file written in golang ; md5 : e5182d13d66c3efaa7676510581d622f98471895 4 lan _ conf. sh ; md5 : e1bdb995998ab338fc596777…”
T1095Non-Application Layer Protocol
33%
“sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable. while disgomoji is processing a command, it reacts with a “ clock ” emoji ( ) in the command message to let the attacker know the command is be…”
T1071Application Layer Protocol
32%
“public project discord - c2, which uses the messaging service discord for command and control ( c2 ), making use of emojis for its c2 communication. the use of linux malware for initial access paired with decoy documents ( suggesting a phishing context ) is uncommon, as the attac…”
T1071Application Layer Protocol
30%
“the c2, it prints an error string “ error fetching repository key : % v “. similarly, when it fails to retrieve the server id, it prints “ error fetching dpkg : % v “. uta 0137 post infection behavior volexity was able to uncover a number of second - stage tools used by uta0137 f…”

Summary

Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified […]

The post DISGOMOJI Malware Used to Target Indian Government appeared first on Volexity.