Emojis Replace Code in New Cyberattack

image provided by pixabay

This post is also available in: עברית (Hebrew)

Instead of typing out full commands, the hackers are maximizing their efficiency when communicating with command and control (C2) servers by using emojis like the ‘camera with flash’ to take a screenshot, the ‘fox’ to zip all Firefox profiles on the device, the ‘pointing finger’ to exfiltrate files to nefarious servers, and the ‘skull’ to terminate the malware process when they finished with what they wanted to achieve, as was discovered by researchers from cybersecurity firm Volexity.

Earlier this year, the Indian government was targeted by ‘Disgomoji’ malware (attributed to suspected Pakistani threat actor UTA0137) using emojis for C2 communication. The attack focused on espionage and targeting Indian government entities and appears to have been successful. The report about this new method of attack explains the malware is used through Discord servers – it creates a dedicated channel for itself in the Discord server so that each channel represents an individual victim, so that the attacker can interact with every victim individually using these channels.

According to Cybernews, when the attack is initiated, Disgomoji sends a check-in message with the IP, username, hostname, OS, and current working directory, then waits for additional messages. It maintains persistence and can even survive system reboots. While processing a command the malware responds with a “Clock” emoji, and when it finishes it displays a “Check Mark Button”.

Furthermore, the malware includes a mechanism that makes it difficult for Discord to disrupt its operations, so that even if the server is banned, the malware can be restored by updating the Discord credentials from the C2 server.

Volexity said in a report: “Disgomoji has exfiltration capabilities that support an espionage motive, including convenient commands to steal user browser data and documents and to exfiltrate data.” The firm thinks this malicious activity can be attributed to a Pakistan-based threat actor, since the malware sample had a Pakistani time zone hardcoded, there were weak infrastructure links to a known Pakistan-based threat actor, they used Punjabi, and the organizations targeted would be of interest to Pakistan.