Back

DISGOMOJI Malware Used to Target Indian Government

June 18, 2024, 6:42 a.m.

Tags

linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847

External References

https://raw.githubusercontent.com/

https://www.volexity.com/

https://otx.alienvault.com/

Description

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities include data exfiltration, persistence mechanisms, and the ability to execute arbitrary commands. Volexity uncovered UTA0137's use of the DirtyPipe exploit against vulnerable BOSS Linux systems, as well as their post-exploitation tactics like network scanning and tunneling. The intrusions appear successful, highlighting UTA0137's evolving tradecraft and persistent interest in Indian targets.

Date

Published Created Modified
June 18, 2024, 6:08 a.m. June 18, 2024, 6:08 a.m. June 18, 2024, 6:42 a.m.

Indicators

fe7e7a5a1b1d634dec3fc9c6bc91c6e96ec635fece5af10cfac894fd228ca38d

fb30e5c67b92dc17d7a6e412f36d9b521842f8d7df38a00584c1362303b26655

ead993c1d537c239750e19a5700a58501dab319d5d271bf85137608448c1faa0

e89589e9ce043b28def17c91fa780322205ee08daa8b3cffe67b46bdae0e3a35

dfb72668791b4fe28884706b7756b02b951b43219e528b970ceb0369c86e3fd3

db9afd2c59f20e04db37ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604

db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32

d3d5d0b210c3fc5c679419d6aa9014f62dcd60b0582cd8d544357f6420407b36

cfb9ffb83877b421e95c9a2c3f65c106b9afb42babce7ba824671f9736bf0f7c

c177361992b207575b9aeb98aad7c2d522eace7ada6f1351434dd79a921ce260

af2201af8054e8e11eef7980fe15dc62eb2b7582f4f2bab4d8256f23f6db984e

bac7e6776c120b2b5da4d171afaea26144e77ad54f7516a0325260ee020b3f52

ae59ba12ec6a42ee5b08c3e2ce91ec02071b2f5ad9338e3a19d690bd68acb860

9c1ffafe0bb4388569fed2a8d4af591ce65ae00f47793ee97c07f686c5fab100

98b24fb7aaaece7556aea2269b4e908dd79ff332ddaa5111caec49123840f364

76d9654f28bcaa713a99caa2839a572fc999a726827a0216da71ac184cee6d19

8c8ef2d850bd9c987604e82571706e11612946122c6ab089bd54440c0113968e

74e0af32c47e3bbe6becfb4027bbdcc01fbe36c92c70ce8edd676cc9aa3d6437

5ef431a481c9baeb1d8cfaf6e1c323531a57c14a5b878575b267f2f969451fdb

6c2f18f5d70f794b8826ee2575d973ddb07cbf9d15115973fe92df74079b6412

5ecbc33fe3b345f2956cff566203e33b9390a3ed9923b990a46804880ae2f59b

5821744413146654397903128fece87d7d9d71c4ade5fd40cdcf3cece2faf8f0

4ddf0c70be0b81ab44f018521f788213de2ccf72b7a7f452f327b81172014182

38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086

3d1b3ba5e1c1d1626595098f042913bc39601c80ab2c934cb994d3c053f218c5

3845877017eb07be71820e8514502a3dcd24177540591c5ce2c13aca94caa4ac

2cec6bd5e9ff046771623cfa0802cacd78b7521bf61b144e9c8dfa77d994927c

37bfa72c2820bcf9adb8707ae624452e0b769bc1c1f2a24ebb518c6e1794f3e2

2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3

26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11

207334927fc39278e37afe124769ed980e9a8ae86b0346408af64c86a7c99e6a

1b1d1d775571232235ed6fb84413eb60593340c1c1ea3b77bd72d3b68058f55c

1cdf1f32f31e226f037fda562985e481b7aa0b809971f2e40b713b034cf1d44e

1844156b1a72a7daa8de4139175a2bdeb4bd326b9e3e1fb4dd2ae00b313b0a44

1387b77a41e5a244c03ea7f5c90a2e528abe0ed7a4e6cb659183f7112c546046

0c284271e3d90a6673d84cf6291f92f32ade7c7f760bbe135880b949b38046ee

0cb88c8b8e2969af26678df4d3c395101c49c7c808d2cb2d7a0f00f60bdddcba

0b5cf9bd917f0af03dd694ff4ce39b0b34a97c9f41b87feac1dc884a684f60ef

03666fb1c21d8a8cf38219691d2218d78eef5b00d20f26c25afde5d9e1daf80a

1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99

c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002

9709b0876c2a291cb57aa0646f9179d29d89abb2f8868663147ab0ca4e6c501b

51a372fee89f885741515fa6fdf0ebce860f98145c9883f2e3e35c0fe4432885

1e657d3047f3534dcd4539ce54db9f5901f7e53999bae340a850cc8d2aacc33c

d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529

179.43.175.111

www2.clawsindia.in

www.www.clawsindia.in

www.shop.clawsindia.in

www.secy-org.in

www.publicinfo.in

www.ordai.quest

www.old.clawsindia.in

www.nic-tech.in

www.mailgate.clawsindia.in

www.infosec2.in

www.esttsec.in

www.estbsec.in

www.epar-online.in

www.emailnic.online

www.emailnic-tech.email

www.dev.clawsindia.in

www.defenseinsight.in

www.coordsec2.in

www.clawsindia.in

www.certdehli.in

www.awesscholarship.in

www.awesindia.online

www.apsdelhicantt.in

www.admincoord.in

http://ordai.quest/vmcoreinfo

Attack Patterns

DISGOMOJI

UTA0137

T1547.013

T1213.001

T1021.006

T1053.005

T1087.002

T1555.003

T1059.001

CVE-2024-3400

CVE-2022-0847

Additional Informations

Government

India