Hackers often show great creativity when setting up command and control (C2) infrastructure. One new campaign has been seen using Discord for C2 and an emoji-based protocol “where the attacker sends commands to the malware by sending emojis to the command channel.”
So say security researchers at Volexity, in a blog post published on June 13. They attributed the campaign to a “suspected Pakistan-based threat actor” that is primarily targeting Indian government entities – some of which apparently often use a customised Linux desktop called BOSS.
(Who knew? We didn’t. Shame on us. In India it really is the Year of Linux on the Desktop™. Reading around this we learned that in 2023 India took another hardened Linux distribution to general availability called MayaOS that was set to be adopted by India’s Ministry of Defense and subsequently the country’s Army, their Navy and their Airforce. Know more about levels of adoption and indeed user experience? We'd love to hear from you.)
We digress.
Discord, originally a platform for gamers to communicate, has been seen being used before for C2, as has Telegram, queued print jobs, and the Slack API; the former via the C3 framework used in the Colonial Pipeline attack.
In general Red Teamers and Black Hats have been creative and prolific in creating C2 frameworks – one collection of examples is in a non-Stack owned Google Doc here; hit links at your own risk/in a sandbox. But this campaign is unique, not least in using emojis to control the malware.
As Volexity put it today: “An authentication token and server ID are hardcoded inside [an] ELF [a way to store apps to be executed by a Linux-based computer], which are used to access the Discord server. The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim...
C2 communication takes place using an emoji-based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable," said Volexity, sharing the below Emoji commands.
Volexity's more technically detailed writeup on the campaign is here.
It notes that in previous versions of what it dubs the "DISGOMOJI" malware "both the authentication token and server ID were hardcoded in the malware binary. In the newer versions of DISGOMOJI, [threat group] UTA0137 has introduced changes to manage these dynamically from the C2 at runtime.
"Once the authentication token and server ID are retrieved, they are stored locally on the system in files named BID1.txt and GID1.txt, which are written to the malware directory .x86_64-linux-gnu. Every time the malware runs, these locally saved values are synced with values retrieved from the server," Washington, D.C.-based cybersecurity firm Volexity said.
The malware maintains persistence on the system using cron; a way of scheduling jobs and can "survive reboots through the addition of a @reboot entry to the crontab for itself."
Blackberry last month published a detailed writeup on a threat group with smoe apparent overlap. It noted that the group "primarily employs phishing emails as the preferred method of delivery for their payloads, utilizing either malicious ZIP archives or links" and variations of GLOBSHELL, a custom-built file exfiltration Linux utility, but also noted some apparently clumsy operational security errors that exposed it operating from Pakistan.
