Hackers now using emojis to command malware


Hackers are maximizing their efficiency when communicating with command and control servers. Rather than typing out commands, they’re using things like the ‘camera with flash’ emoji, which takes a screenshot on the victim’s device. The ‘fox’ emoji zips all Firefox profiles on the device, the ‘pointing finger’ exfiltrates files to nefarious servers, and a ‘skull’ terminates the malware process when they’re done.

Hackers have modified the Discord messaging service to use it for command and control (C2), researchers from cybersecurity firm Volexity have found.

In 2024, the Indian government was targeted by malware dubbed Disgomoji, which was attributed to a suspected Pakistani threat actor labeled UTA0137. Volexity’s analysis reveals that UTA0137, making use of emojis for its C2 communication, appears to be successful in campaigns focused on espionage and targeting Indian government entities.

The malware only targets Linux systems, specifically the custom distribution named BOSS, which is used by the Indian government. Researchers believe that threat actors used phishing attacks for initial access, as suggested by the obtained decoy documents used as a lure.

“The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim. The attacker can then interact with every victim individually using these channels,” the report reads.

Once started, Disgomoji sends a check-in message consisting of the IP, username, hostname, OS, and current working directory. It maintains persistence and can survive system reboots.

The malware then waits for additional messages. Communication is maintained using an emoji-based protocol, and attackers have to send emojis as their commands to the channel, with additional parameters where applicable. While Disgomoji processes the command, it reacts with a “Clock” emoji, and when it finishes, the “Check Mark Button” is displayed.

Many more emojis are used for various commands.

emoji-commands

Disgomoji includes a mechanism that makes it difficult for Discord to disrupt its operations. Even if the malicious server is banned, the malware can be restored by updating the Discord credentials from the C2 server.

The malware has many features, such as using Nmap to scan victim networks, Chisel and Ligolo for network tunneling, and file sharing service for downloading and hosting exfiltrated data. Masquerading as a Firefox update, sometimes the malware asks victims to type their passwords.

“Disgomoji has exfiltration capabilities that support an espionage motive, including convenient commands to steal user browser data and documents and to exfiltrate data,” Volexity said.

Volexity attributes this malicious activity to a Pakistan-based threat actor “with moderate confidence.”

The malware sample had a Pakistani time zone hardcoded, there were weak infrastructure links to a known Pakistan-based threat actor, the Punjabi language was used, and the targets consisted of organizations that would be of interest to Pakistan.