Threat Research

Gurucul Threat Research: DisGoMoji Malware

The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware. The unusual combination of targeting Linux systems with malware disguised as legitimate documents, typically employed in phishing attacks, indicates a high level of specific knowledge about the victim. This suggests that the attackers had a clear understanding that their target was a Linux desktop user.

Key Insights and Statistics

  1. DISGOMOJI Malware:
  • DISGOMOJI is a custom fork of the public project “discord-c2.”
  • It leverages Discord for command and control (C2) communication, using emojis as part of its C2 protocol.
  • It was delivered as an ELF binary packed with UPX.
  1. Attack Flow:
  • The initial payload, disguised as a benign lure file named “DSOP.pdf,” downloads from a remote server.
  • The next-stage payload, named “vmcoreinfo,” is an instance of DISGOMOJI.
  • DISGOMOJI is dropped in a hidden folder within the user’s home directory.
  • It establishes communication with a Discord server, creating a dedicated channel for each victim.
  1. Persistence and Exfiltration:
  • DISGOMOJI maintains persistence by creating a hidden folder and using Discord channels for communication.

Technical Analysis:

SHA256:d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529

 

Within the ELF binary, there exists a hardcoded authentication token and server ID. These two critical pieces of information play a pivotal role in establishing communication with the Discord server. Here’s a breakdown of their significance:

  1. Authentication Token:
    • An authentication token serves as a digital credential, granting access to specific resources.
    • In this context, the token allows the malware (DISGOMOJI) to authenticate itself with the Discord server.
    • By embedding the token directly into the ELF binary, the threat actor ensures that the malware can seamlessly establish communication without requiring additional user input.
  1. Server ID:
    • The server ID uniquely identifies the target Discord server.
    • It acts as a destination address for the malware’s communication.
    • By hardcoding the server ID, the attacker ensures that DISGOMOJI connects to the intended server, avoiding any ambiguity.

  1. The channel name follows a specific pattern: sess-%s-%s.
  2. The first %s value corresponds to the operating system (OS) of the infected machine.
  3. The second %s is dynamically formatted using the victim’s username.

 

When DISGOMOJI infects a system, it dynamically creates a dedicated channel within the Discord server.

Each channel corresponds to an individual victim—someone whose system has been compromised by the malware. By doing so, the attacker establishes a discreet and isolated communication channel for each victim.

The attacker can issue specific commands, retrieve data, or manipulate the victim’s system on a per-channel basis.

When DISGOMOJI initializes, it promptly sends a check-in message to the designated channel. This message serves as an initial handshake and provides crucial details about the victim system. Let’s break down the information included in this check-in message:

  1. Internal IP:
  • The internal IP address of the compromised machine is disclosed.
  • This address helps the attacker understand the network topology and potentially identify other vulnerable systems within the same network.
  1. Username:
  • The victim’s username is part of the check-in message.
  • Knowing the username aids in personalizing interactions and tracking individual victims.
  1. Hostname:
  • The hostname (or computer name) reveals the identity of the victim system.
  • It can provide clues about the organization, department, or user associated with the machine.
  1. Operating System:
  • DISGOMOJI reports the operating system running on the victim’s system.
  • Whether it’s Linux, Windows, or another OS, this information informs subsequent actions.
  1. Current Working Directory:
  • The current working directory (CWD) reflects the location where DISGOMOJI is executing.
  • It helps the attacker understand the context within which the malware operates.

In summary, this check-in message acts as a reconnaissance report, equipping the attacker with essential details for further actions within the compromised environment.

 

The presence of the uevent_seqnum.sh script in the DISGOMOJI malware campaign adds an intriguing layer of functionality. Although you couldn’t directly obtain the file, insights from other sources shed light on its purpose.

uevent_seqnum.sh Script:

  1. It likely monitors the Linux kernel’s uevent subsystem, which handles device-related events.
  2. By tracking these events, the script can identify when USB devices are connected or disconnected.
  3. These copied files serve as potential data exfiltration targets for the attacker.

In summary, the uevent_seqnum.sh script plays a critical role in the attacker’s data exfiltration tactics, leveraging USB device connections as a vector for information theft.

 

Certainly! Let’s delve into the technical details of how DISGOMOJI ensures persistence on the compromised system using cron:

  1. Cron for Persistence:
  • DISGOMOJI leverages cron to execute specific tasks at predefined intervals.
  • By adding an entry to the crontab (the cron configuration file), the malware ensures that its functionality persists beyond reboots.

  1. @reboot Entry:
  •  The @reboot directive in the crontab triggers the specified command upon system startup.
  •  DISGOMOJI inserts an @reboot entry pointing to itself, ensuring that it runs automatically after every reboot.
  •  This persistence mechanism allows the malware to maintain control over the compromised system even if it restarts.

In summary, DISGOMOJI strategically utilizes cron and the @reboot directive to establish long-lasting persistence, enabling continued malicious activity.

Indeed, the DISGOMOJI malware employs a rather unconventional but clever method for command and control (C2) communication. Let’s break down the details of this emoji-based protocol:

  1. 🏃‍♂️ Execute a Command:
    • This command triggers the execution of a specified action or script on the victim’s device.
    • The attacker can issue custom commands, potentially running additional malicious code.
  1. 📸 Capture a Screenshot:
    • DISGOMOJI takes a screenshot of the victim’s screen.
    • Useful for monitoring the user’s activities or capturing sensitive information.
  1. 👇 Upload to Channel:
    • The malware uploads a file from the victim’s device directly to the Discord channel.
    • The attacker can retrieve the uploaded file from the channel.
  1. 👈 Upload to transfer[.]sh:
    • Similar to the previous command, but the file is uploaded to the external service transfer[.]sh.
    • This approach may help avoid immediate detection.
  1. ☝️ Download a File:
    • DISGOMOJI downloads a specified file to the victim’s device.
    • The attacker can provide a URL or a path to the desired file.
  1. 👉 Download from oshi[.]at:
    • The malware fetches a file hosted on oshi[.]at (a specific domain).
    • The attacker controls the content available on this domain.
  1. 🔥 File Exfiltration:
    • DISGOMOJI searches for files with specific extensions (CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, ZIP).
    • If found, it exfiltrates these files—potentially sensitive data—to the attacker.
  1. 🦊 Firefox Profile Gathering:
    • The malware collects all Mozilla Firefox profiles on the victim’s device.
    • These profiles may contain browser history, saved passwords, and other user data.
  1. 💀 Terminate Malware Process:
    • The attacker can remotely terminate the DISGOMOJI process on the victim’s device.
    • Useful for cleanup or avoiding detection.
  1. 🕐 Command Processing Notification:
    • Indicates that the requested command is being processed.
    • Provides feedback to the attacker during the execution.
  1. Command Completion Notification:
    • Informs the attacker that the requested command has successfully executed.
    • Allows the attacker to proceed with further actions.

In summary, these emojis serve as a covert language for controlling DISGOMOJI, enabling precise interactions while maintaining stealth.

IOC’s

 

Type IOC
FileHash-SHA1 e5182d13d66c3efaa7676510581d622f98471895
FileHash-SHA256 1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99
FileHash-SHA256 c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002
FileHash-SHA256 d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529
URL http://ordai.quest/vmcoreinfo
domain clawsindia.in
domain ordai.quest
IPv4 179.43.175.111
FileHash-MD5 01c34ccd7ca7c5cdf88272d8c9071004
FileHash-MD5 04a3f16c76f2e6d9eba34dd132fc8c27

 

About the Author:

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.