Full Report
Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137. The malware used in these recent campaigns, which Volexity tracks as DISGOMOJI, is written in Golang and compiled for Linux systems. Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful. DISGOMOJI appears to be exclusively used by UTA0137. It is a modified version of the public project discord-c2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication. The use of Linux malware for initial access paired with decoy documents (suggesting a […] The post DISGOMOJI Malware Used to Target Indian Government appeared first on Volexity.
Analysis Summary
# Threat Actor: UTA0137
## Attribution & Identity
* **Identification/Attribution:** Suspected Pakistan-based threat actor.
* **Known Aliases:** UTA0137 (Volexity tracking designation).
* **Associated Groups:** Weak infrastructure links to SideCopy (a known Pakistan-based threat actor).
## Activity Summary
UTA0137 conducted a cyber-espionage campaign in 2024 primarily targeting government entities in India. The campaigns utilized custom Linux malware, DISGOMOJI, and achieved successful infections, reportedly prompting Volexity to report details to India's National Informatics Centre (NIC). The actor leveraged the DirtyPipe vulnerability (CVE-2022-0847) against vulnerable "BOSS 9" Linux systems for privilege escalation.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing context suggested by the use of decoy documents (`DSOP.pdf`, relating to the Defence Service Officer Provident Fund). Delivering a UPX-packed ELF Golang executable.
* **Execution/Persistence:**
* Persistence achieved via adding a `@reboot` entry to the system’s crontab.
* Execution of downloaded scripts (`uevent_seqnum.sh`).
* Social engineering via malicious dialog boxes using the Zenity utility to solicit user passwords.
* **Privilege Escalation:** Exploitation of the DirtyPipe vulnerability (CVE-2022-0847) against BOSS Linux systems to gain root privileges.
* **Discovery/Collection:**
* Checking connected USB devices and copying files from them locally for later exfiltration.
* Collecting user browser data and documents.
* **Exfiltration:** Use of third-party storage services for data exfiltration.
* **Command and Control (C2):** Custom utilization of the Discord platform based on the open-source `discord-c2` project, employing an emoji-based protocol.
* **MITRE ATT&CK Coverage (Implied/Explicit TTPs):** T1566 (Phishing), T1059 (Command and Scripting Interpreter, specifically Bash/Cron), T1134 (Access Token Manipulation, implied via privilege escalation), T1070.004 (File Deletion, implied via post-exploitation cleanup/movement).
## Targeting
* **Sectors:** Government entities.
* **Geography:** India.
* **Victims:** Government entities known to use the custom Linux distribution BOSS (e.g., "BOSS 9" systems).
## Tools & Infrastructure
* **Malware Families:** DISGOMOJI (a custom Go-based fork of `discord-c2`).
* **Infrastructure:**
* C2: Discord messaging service, utilizing hardcoded authentication tokens and server IDs. Channels are named `sess-%s-%s` (OS-Username).
* Download Server: `clawsindia[.]in` (used to download the DISGOMOJI payload `vmcoreinfo`).
* Open-Source Tools Used Post-Infection: Nmap, Chisel, Ligolo.
* **Defanged C2 Domain:** clawsindia[.]in
## Implications
UTA0137 represents a high-fidelity espionage threat specifically tailored to compromise Linux-based government infrastructure in India, utilizing custom malware that hides C2 within a popular consumer application (Discord). The actor maintains persistence and systematically collects data, indicating long-term intelligence-gathering objectives. The continued successful deployment of an aged exploit like DirtyPipe suggests potential systemic patch management gaps within targeted organizations.
## Mitigations
* Patching and vulnerability management, specifically addressing known vulnerabilities like DirtyPipe (CVE-2022-0847), even on older firmware or OS versions (like BOSS 9).
* Enhance network monitoring for unusual outbound C2 traffic utilizing consumer platforms like Discord.
* Implement strict controls and monitoring around the execution of downloaded ELF binaries derived from potentially untrusted sources.
* Review system configuration for unauthorized crontab entries, particularly for persistence mechanisms.
* Be vigilant against phishing lures referencing sensitive government files (e.g., `DSOP.pdf`).