Hackers often show great creativity when setting up command and control (C2) infrastructure. One new campaign has been seen using Discord for C2 and an emoji-based protocol “where the attacker sends commands to the malware by sending emojis to the command channel.”

So say security researchers at Volexity, in a blog post published on June 13. They attributed the campaign to a “suspected Pakistan-based threat actor” that is primarily targeting Indian government entities – some of which apparently often use a customised Linux desktop called BOSS

(Who knew? We didn’t. Shame on us. In India it really is the Year of Linux on the Desktop™. Reading around this we learned that in 2023 India took another hardened Linux distribution to general availability called MayaOS that was set to be adopted by India’s Ministry of Defense and subsequently the country’s Army, their Navy and their Airforce. Know more about levels of adoption and indeed user experience? We'd love to hear from you.) 

We digress.

Discord, originally a platform for gamers to communicate, has been seen being used before for C2, as has Telegram, queued print jobs, and the Slack API; the former via the C3 framework used in the Colonial Pipeline attack.

In general Red Teamers and Black Hats have been creative and prolific in creating C2 frameworks – one collection of examples is in a non-Stack owned Google Doc here; hit links at your own risk/in a sandbox. But this campaign is unique, not least in using emojis to control the malware.

As Volexity put it today: “An authentication token and server ID are hardcoded inside [an] ELF [a way to store apps to be executed by a Linux-based computer], which are used to access the Discord server. The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim...

C2 communication takes place using an emoji-based protocol where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable," said Volexity, sharing the below Emoji commands.

Emoji

Emoji Name

Command Description

🏃‍♂️

Man Running

Execute a command on the victim’s device. This command receives an argument, which is the command to execute.

📸

Camera with Flash

Take a screenshot of the victim’s screen and upload it to the command channel as an attachment.

👇

Backhand Index Pointing Down

Download files from the victim’s device and upload them to the command channel as attachments. This command receives one argument, which is the path of the file.

☝️

Index Pointing Up

Upload a file to the victim’s device. The file to upload is attached along with this emoji.

👉

Backhand Index Pointing Right

Upload a file from the victim’s device to Oshi (oshi[.]at), a remote file-storage service. This command receives an argument, which is the name of the file to upload.

👈

Backhand Index Pointing Left

Upload a file from the victim’s device to transfer[.]sh, a remote file-sharing service. This command receives an argument, which is the name of the file to upload.

🔥

Fire

Find and send all files matching a pre-defined extension list that are present on the victim’s device. Files with the following extensions are exfiltrated: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, ZIP

🦊

Fox

Zip all Firefox profiles on the victim’s device. These files can be retrieved by the attacker at a later time.

💀

Skull

Terminate the malware process using os.Exit().

Volexity's more technically detailed writeup on the campaign is here.

It notes that in previous versions of what it dubs the "DISGOMOJI" malware "both the authentication token and server ID were hardcoded in the malware binary. In the newer versions of DISGOMOJI, [threat group] UTA0137 has introduced changes to manage these dynamically from the C2 at runtime.

"Once the authentication token and server ID are retrieved, they are stored locally on the system in files named BID1.txt and GID1.txt, which are written to the malware directory .x86_64-linux-gnu. Every time the malware runs, these locally saved values are synced with values retrieved from the server," Washington, D.C.-based cybersecurity firm Volexity said.

The malware maintains persistence on the system using cron; a way of scheduling jobs and can "survive reboots through the addition of a @reboot entry to the crontab for itself."

Blackberry last month published a detailed writeup on a threat group with smoe apparent overlap. It noted that the group "primarily employs phishing emails as the preferred method of delivery for their payloads, utilizing either malicious ZIP archives or links" and variations of GLOBSHELL, a custom-built file exfiltration Linux utility, but also noted some apparently clumsy operational security errors that exposed it operating from Pakistan.

See also: This dance album was made with 200+ exotic malware samples

The link has been copied!