DISGOMOJI Malware Used to Target Indian Government

June 18, 2024, 6:42 a.m.

Description

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities include data exfiltration, persistence mechanisms, and the ability to execute arbitrary commands. Volexity uncovered UTA0137's use of the DirtyPipe exploit against vulnerable BOSS Linux systems, as well as their post-exploitation tactics like network scanning and tunneling. The intrusions appear successful, highlighting UTA0137's evolving tradecraft and persistent interest in Indian targets.

External References

https://raw.githubusercontent.com/volexity/threat-intel/main/2024/2024-06-13%20DISGOMOJI/indicators/iocs.csv
https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/
https://otx.alienvault.com/pulse/66712446e23b1d14e4f293eb
Tags
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847

Date

  • Created: June 18, 2024, 6:08 a.m.
  • Published: June 18, 2024, 6:08 a.m.
  • Modified: June 18, 2024, 6:42 a.m.

Indicators

  • fe7e7a5a1b1d634dec3fc9c6bc91c6e96ec635fece5af10cfac894fd228ca38d
  • fb30e5c67b92dc17d7a6e412f36d9b521842f8d7df38a00584c1362303b26655
  • ead993c1d537c239750e19a5700a58501dab319d5d271bf85137608448c1faa0
  • e89589e9ce043b28def17c91fa780322205ee08daa8b3cffe67b46bdae0e3a35
  • dfb72668791b4fe28884706b7756b02b951b43219e528b970ceb0369c86e3fd3
  • db9afd2c59f20e04db37ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604
  • db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32
  • d3d5d0b210c3fc5c679419d6aa9014f62dcd60b0582cd8d544357f6420407b36
  • cfb9ffb83877b421e95c9a2c3f65c106b9afb42babce7ba824671f9736bf0f7c
  • c177361992b207575b9aeb98aad7c2d522eace7ada6f1351434dd79a921ce260
  • af2201af8054e8e11eef7980fe15dc62eb2b7582f4f2bab4d8256f23f6db984e
  • bac7e6776c120b2b5da4d171afaea26144e77ad54f7516a0325260ee020b3f52
  • ae59ba12ec6a42ee5b08c3e2ce91ec02071b2f5ad9338e3a19d690bd68acb860
  • 9c1ffafe0bb4388569fed2a8d4af591ce65ae00f47793ee97c07f686c5fab100
  • 98b24fb7aaaece7556aea2269b4e908dd79ff332ddaa5111caec49123840f364
  • 76d9654f28bcaa713a99caa2839a572fc999a726827a0216da71ac184cee6d19
  • 8c8ef2d850bd9c987604e82571706e11612946122c6ab089bd54440c0113968e
  • 74e0af32c47e3bbe6becfb4027bbdcc01fbe36c92c70ce8edd676cc9aa3d6437
  • 5ef431a481c9baeb1d8cfaf6e1c323531a57c14a5b878575b267f2f969451fdb
  • 6c2f18f5d70f794b8826ee2575d973ddb07cbf9d15115973fe92df74079b6412
  • 5ecbc33fe3b345f2956cff566203e33b9390a3ed9923b990a46804880ae2f59b
  • 5821744413146654397903128fece87d7d9d71c4ade5fd40cdcf3cece2faf8f0
  • 4ddf0c70be0b81ab44f018521f788213de2ccf72b7a7f452f327b81172014182
  • 38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086
  • 3d1b3ba5e1c1d1626595098f042913bc39601c80ab2c934cb994d3c053f218c5
  • 3845877017eb07be71820e8514502a3dcd24177540591c5ce2c13aca94caa4ac
  • 2cec6bd5e9ff046771623cfa0802cacd78b7521bf61b144e9c8dfa77d994927c
  • 37bfa72c2820bcf9adb8707ae624452e0b769bc1c1f2a24ebb518c6e1794f3e2
  • 2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3
  • 26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11
  • 207334927fc39278e37afe124769ed980e9a8ae86b0346408af64c86a7c99e6a
  • 1b1d1d775571232235ed6fb84413eb60593340c1c1ea3b77bd72d3b68058f55c
  • 1cdf1f32f31e226f037fda562985e481b7aa0b809971f2e40b713b034cf1d44e
  • 1844156b1a72a7daa8de4139175a2bdeb4bd326b9e3e1fb4dd2ae00b313b0a44
  • 1387b77a41e5a244c03ea7f5c90a2e528abe0ed7a4e6cb659183f7112c546046
  • 0c284271e3d90a6673d84cf6291f92f32ade7c7f760bbe135880b949b38046ee
  • 0cb88c8b8e2969af26678df4d3c395101c49c7c808d2cb2d7a0f00f60bdddcba
  • 0b5cf9bd917f0af03dd694ff4ce39b0b34a97c9f41b87feac1dc884a684f60ef
  • 03666fb1c21d8a8cf38219691d2218d78eef5b00d20f26c25afde5d9e1daf80a
  • 1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99
  • c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002
  • 9709b0876c2a291cb57aa0646f9179d29d89abb2f8868663147ab0ca4e6c501b
  • 51a372fee89f885741515fa6fdf0ebce860f98145c9883f2e3e35c0fe4432885
  • 1e657d3047f3534dcd4539ce54db9f5901f7e53999bae340a850cc8d2aacc33c
  • d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529
  • 179.43.175.111
  • www2.clawsindia.in
  • www.www.clawsindia.in
  • www.shop.clawsindia.in
  • www.secy-org.in
  • www.publicinfo.in
  • www.ordai.quest
  • www.old.clawsindia.in
  • www.nic-tech.in
  • www.mailgate.clawsindia.in
  • www.infosec2.in
  • www.esttsec.in
  • www.estbsec.in
  • www.epar-online.in
  • www.emailnic.online
  • www.emailnic-tech.email
  • www.dev.clawsindia.in
  • www.defenseinsight.in
  • www.coordsec2.in
  • www.clawsindia.in
  • www.certdehli.in
  • www.awesscholarship.in
  • www.awesindia.online
  • www.apsdelhicantt.in
  • www.admincoord.in
  • http://ordai.quest/vmcoreinfo
  • ww12.epar-online.in
  • whm.clawsindia.in
  • webmail.clawsindia.in
  • webdisk.defenseinsight.in
  • webdisk.estbsec.in
  • webdisk.clawsindia.in
  • test.clawsindia.in
  • sql.clawsindia.in
  • smtp.mail.clawsindia.in
  • shop.clawsindia.in
  • portal.clawsindia.in
  • pop3.clawsindia.in
  • pop.clawsindia.in
  • play.emailnic.online
  • pcda.admincoord.in
  • outlook.emailnic.online
  • old.clawsindia.in
  • ns1.clawsindia.in
  • mx4.clawsindia.in
  • mx10.clawsindia.in
  • mx0.clawsindia.in
  • mbox.clawsindia.in
  • mailrelay.clawsindia.in
  • mailgate.clawsindia.in
  • mail6.clawsindia.in
  • mail.clawsindia.in
  • m.emailnic.online
  • mail.defenseinsight.in
  • m.clawsindia.in
  • login.emailnic.online
  • localhost.clawsindia.in
  • lists.clawsindia.in
  • intranet.clawsindia.in
  • insight.defenseinsight.in
  • imap.clawsindia.in
  • help.clawsindia.in
  • gate.clawsindia.in
  • ftp.publicinfo.in
  • ftp.clawsindia.in
  • epar.emailnic-tech.email
  • email.publicinfo.in
  • email.parichay.online
  • email.gov.in.parichay.online
  • email.gov.in.estbsec.in
  • email.estbsec.in
  • email.emailnic.online
  • email.emailnic-tech.email
  • email.coordsec2.in
  • email.apsdelhicantt.in
  • dev.nic-tech.in
  • dev.clawsindia.in
  • dc-mx.ae172f95f2ec.defenseinsight.in
  • cpanel.clawsindia.in
  • blog.clawsindia.in
  • cloud.publicinfo.in
  • autoconfig.clawsindia.in
  • adfs.clawsindia.in
  • accounts.emailnic.online
  • account.emailnic.online
  • parichay.online
  • nic-tech.in
  • epar-online.in
  • emailnic.online
  • defenseinsight.in
  • certdehli.in
  • awesscholarship.in
  • apsdelhicantt.in
  • ordai.quest
  • secy-org.in
  • publicinfo.in
  • infosec2.in
  • esttsec.in
  • emailnic-tech.email
  • estbsec.in
  • coordsec2.in
  • clawsindia.in
  • awesindia.online
  • admincoord.in
Download all indicators here!

Attack Patterns

  • DISGOMOJI
  • UTA0137

Additional Informations

  • Government
  • India

Linked vulnerabilities

CVE-2022-0847

None
Published:

CVE-2024-3400

None
Published: