Recent reports have surfaced regarding an advanced persistent threat (APT) originating from Pakistan, targeting Indian government organizations through cyber espionage. This threat group, known as UTA0137, has been utilizing an old Linux bug and a unique Discord-based malware named Disgomoji to infiltrate high-level targets.
The emergence of Pakistani threat actors conducting espionage on the Indian government has been a topic of concern in recent times. Operations such as Operation RusticWeb, Transparent Tribe, and Celestial Force have been reported, although conclusive connections between these operations are yet to be established. The latest addition to this list is UTA0137, as detailed in a recent report by Volexity.
UTA0137 has been successful in compromising its targets by exploiting the “Dirty Pipe” Linux kernel vulnerability and using Disgomoji, an all-in-one espionage tool. What sets Disgomoji apart is its use of emojis for communication between the malware and the attacker. This unique feature allows attackers to issue commands using emojis, making it user-friendly and relatively easy to operate.
According to researchers, Disgomoji is a modified version of the Golang-based program discord-c2, with Discord serving as its command center. The malware collects system information upon activation, establishes persistence through reboots, and can steal data from connected USB devices. The use of emojis for instructions adds a novel twist to the malware’s functionality, making it stand out from traditional espionage tools.
While the use of emojis may seem innocuous, security experts highlight the significance of UTA0137’s exploitation of the old Linux bug, CVE-2022-0847 (Dirty Pipe). This high-severity vulnerability allows unauthorized users to escalate privileges and gain root access in Linux systems. Despite being publicized over two years ago, this bug still poses a threat, particularly to the BOSS Linux distribution with millions of users in India.
Tom Lancaster, a principal threat intelligence analyst with Volexity, emphasizes the importance of keeping operating systems up to date to mitigate known vulnerabilities like Dirty Pipe. He also recommends organizations to assess the necessity of Discord access for their users and block it if deemed unnecessary to prevent potential malware infections.
In conclusion, the ongoing cyber espionage activities by the Pakistani threat actors highlight the importance of effective cybersecurity measures for government organizations. By staying vigilant, keeping systems updated, and monitoring network activity, entities can enhance their resilience against advanced threats like UTA0137 and safeguard sensitive information from malicious actors.