June 17, 2024 at 01:51AM

■■■■□ Cyber-Attack by Pakistan aimed at India based users.

The Pakistani APT, tracked by Volexity as UTA0137, uses emojis to control malware.

Hackers are targeting government agencies in India and engaging in cyber espionage using a core toolkit called DISGOMOJI.

Meanwhile, the malware exclusively targets Linux systems, specifically the specialized BOSS distribution used by the Indian government.

Researchers believe the attackers used phishing attacks for initial access, as evidenced by the discovery of fake documents used as bait.

Once launched, Disgomoji sends a registration message that includes the IP address, user and hostname, operating system, and current working directory. It remains persistent and survives system reboots while awaiting additional messages.

A special feature of DISGOMOJI is the use of the Discord channel as C2, as well as emoticons as commands to control infected systems.

Instead of typing commands, UTA0137 uses a camera emoji to take a screenshot of the victim’s device.

The fox emoji archives all Firefox profiles on the device, and the “index finger” transfers files to C2.

The malware has many features, such as using Nmap to scan victims’ networks, Chisel and Ligolo for network tunneling, and a file-sharing service to download and host stolen data.

Additionally, masquerading as a Firefox update, the malware sometimes asks victims to enter their passwords.

Attribution is based on a hard-coded Pakistani time zone, weak infrastructural connections to a known attacker, the Punjabi language, and victimology.

Volexity researchers have found it difficult to unambiguously identify the APT.