New Linux malware is controlled through emojis sent from Discord (www.bleepingcomputer.com)
from BrikoX@lemmy.zip to cybersecurity@sh.itjust.works on 16 Jun 2024 07:32
https://lemmy.zip/post/17455389

A newly discovered Linux malware dubbed ‘DISGOMOJI’ uses the novel approach of utilizing emojis to execute commands on infected devices in attacks on government agencies in India.

#cybersecurity

threaded - newest

[deleted] on 16 Jun 2024 08:00 next collapse

.

WeirdAlex03@lemmy.zip on 16 Jun 2024 08:18 collapse

If you actually read it, the emojis are just a silly little C2 frontend, the actual attack vector has nothing to do with Discord

rtxn@lemmy.world on 16 Jun 2024 08:30 next collapse

OP didn’t bother to write it, so I will. The infection vector is an executable distributed through mail, targeting computers of the Indian government.

According to Volexity, the malware was discovered after the researchers spotted a UPX-packed ELF executable in a ZIP archive, likely distributed through phishing emails. Volexity believes that the malware targets a custom Linux distribution named BOSS that Indian government agencies use as their desktop.

When executed, the malware will download and display a PDF lure that is a beneficiary form from India’s Defence Service Officer Provident Fund in case of an officer’s death.

However, additional payloads will be downloaded in the background, including the DISGOMOJI malware and a shell script named ‘uevent_seqnum.sh’ that is used to search for USB drives and steal data from them.

When DISGOMOJI is launched, the malware will exfiltrate system information from the machine, including IP address, username, hostname, operating system, and the current working directory, which is sent back to the attackers.

To control the malware, the threat actors utilize the open-source command and control project discord-c2, which uses Discord and emojis to communicate with infected devices and execute commands.

The malware will connect to an attacker-controlled Discord server and wait for the threat actors to type emojis into the channel.

KISSmyOSFeddit@lemmy.world on 16 Jun 2024 08:38 next collapse

So to get infected, you need to download and unpack a ZIP archive sent to you from an unknown address, then execute the file it contains? In that case, I’m not too worried.

OfficerBribe@lemm.ee on 16 Jun 2024 10:37 next collapse

Just like most malware

sugar_in_your_tea@sh.itjust.works on 16 Jun 2024 16:01 collapse

Especially Linux malware. It’s not a huge target, so it’s likely to be low effort stuff like this instead of zero-days attacking some linux-specific API. That level of attack is reserved for higher value targets, like servers and windows.

Aux@lemmy.world on 16 Jun 2024 16:21 next collapse

Linux servers are the biggest target though.

sugar_in_your_tea@sh.itjust.works on 16 Jun 2024 17:20 collapse

Exactly, because they’re high value targets, as I mentioned. But they’re going to use more exotic exploits than an attack on linux desktops, because the expected return vs work to get the exploit makes more sense. Grandma isn’t likely using linux to access her bank account, but she is likely accessing a linux server.

KISSmyOSFeddit@lemmy.world on 16 Jun 2024 16:35 collapse

It’s not a huge target

I never understood that claim. Most of the internet, most servers and most machine controllers, as well as most cloud services (including Microsoft Azure) run on Linux.
It’s the biggest target in the world.

sugar_in_your_tea@sh.itjust.works on 16 Jun 2024 17:25 collapse

Linux servers are, and I specifically called that out. The types of attacks you use against a server are very different than attacks against a desktop. Most desktops don’t run web servers, and most servers don’t run discord or web browsers.

So linux desktops should see a lot fewer attacks than servers because the value of successfully attacking them is much lower. As that changes, so will the amount of malware targeting linux desktops.

kernelle@lemmy.world on 16 Jun 2024 11:13 collapse

It’s more about C&C, novel ways to get around firewall restrictions. Deploying a payload is the hard part, but having control over a large botnet without raising red flags is an art as well.

dotslashme@infosec.pub on 16 Jun 2024 10:08 next collapse

Pretty clever to disguise the commands and replays as emojis. I bet it’s going to open yet another cat-and-mouse-game for pattern matching.

driving_crooner@lemmy.eco.br on 16 Jun 2024 12:29 collapse

What happens if the victim dosen’t have discord installed on the PC? The virus have no way to get orders?

Evotech@lemmy.world on 16 Jun 2024 13:35 collapse

Didn’t sound like it uses the discord client but rather the malware connects directly to a server