In a new twist between the Indo-Pak cyberwarfare, an advanced persistent threat (APT) from Pakistan is now using an old Linux vulnerability dubbed “Dirty Pipe” and Discord-based espionage tool “Disgomoji” to spy on Indian government organisations.
Security researchers from Volexity have discovered a new group named UTA0137, which has successfully compromised high-level targets in the Indian government using the aforementioned combination. The researchers found the Pakistani time zone hardcoded in one malware sample, with Punjabi being used in the malware. The malware also has weak infrastructure links to Sidewinder, a known Pakistani hacker group.
While the “Dirty Pipe” vulnerability, tracked as CVE-2022-0847 with a CVSS score of 7.8 is commonly exploited, the Disgomoji tool takes a special turn by hiding its commands in emojis.
The tool is based on the open-source Discord-c2 program written in Golang. As you can guess, it uses Discord as its command centre, and individual infections are given separate channels for better management. It’s a very user-friendly espionage tool, especially considering that attackers can instruct the program to work in emojis instead of using complex strings or numerical commands.
The group has also improved the tool over time, especially by changing the way the malware manages Discord tokens. This makes it harder for Discord to detect the attacker’s servers, as the attacker can update the underlying client configuration when required.
The “Dirty Pipe” vulnerability has been out for over two years but still affects nearly six million systems running the Boss Linux distribution, with a significant number of systems in India. Since the vulnerability allows an attacker to escalate and obtain root privileges on the targeted system, it makes for the perfect entry point for an espionage tool that can run commands and upload or download files from the system.
After exploitation, the attackers often use a pre-installed utility called Zenity to display dialog boxes, combined with social engineering tactics, to lure users into giving up their passwords. Volexity’s report recommends that suspected targets monitor network activity and audit active or recent Discord activity to ensure there’s no malware infection.
In the News: Apple Pay Later is dead one year after launch
