{ "name": "DISGOMOJI Malware Used to Target Indian Government", "slug": "disgomoji-malware-used-to-target-indian-government", "description": "Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities include data exfiltration, persistence mechanisms, and the ability to execute arbitrary commands. Volexity uncovered UTA0137's use of the DirtyPipe exploit against vulnerable BOSS Linux systems, as well as their post-exploitation tactics like network scanning and tunneling. The intrusions appear successful, highlighting UTA0137's evolving tradecraft and persistent interest in Indian targets.", "published": "2024-06-18T04:08:06+00:00", "created_at": "2024-06-18T04:08:06+00:00", "modified_at": "2024-06-18T04:42:55+00:00", "created_at_opencti": "2024-06-18T04:08:06+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-18", "CVE-2022-0847", "discord", "disgomoji", "espionage", "golang", "india", "linux", "privilege-escalation" ], "related_entities": { "observables": [ { "id": "", "name": "179.43.175.111" }, { "id": "", "name": "www2.clawsindia.in" }, { "id": "", "name": "www.www.clawsindia.in" }, { "id": "", "name": "www.shop.clawsindia.in" }, { "id": "", "name": "www.secy-org.in" }, { "id": "", "name": "www.publicinfo.in" }, { "id": "", "name": "www.ordai.quest" }, { "id": "", "name": "www.old.clawsindia.in" }, { "id": "", "name": "www.nic-tech.in" }, { "id": "", "name": "www.mailgate.clawsindia.in" }, { "id": "", "name": "www.infosec2.in" }, { "id": "", "name": "www.esttsec.in" }, { "id": "", "name": "www.estbsec.in" }, { "id": "", "name": "www.epar-online.in" }, { "id": "", "name": "www.emailnic.online" }, { "id": "", "name": "www.emailnic-tech.email" }, { "id": "", "name": "www.dev.clawsindia.in" }, { "id": "", "name": "www.defenseinsight.in" }, { "id": "", "name": "www.coordsec2.in" }, { "id": "", "name": "www.clawsindia.in" }, { "id": "", "name": "www.certdehli.in" }, { "id": "", "name": "www.awesscholarship.in" }, { "id": "", "name": "www.awesindia.online" }, { "id": "", "name": "www.apsdelhicantt.in" }, { "id": "", "name": "www.admincoord.in" }, { "id": "", "name": "http://ordai.quest/vmcoreinfo" }, { "id": "", "name": "ww12.epar-online.in" }, { "id": "", "name": "whm.clawsindia.in" }, { "id": "", "name": "webmail.clawsindia.in" }, { "id": "", "name": "webdisk.defenseinsight.in" }, { "id": "", "name": "webdisk.estbsec.in" }, { "id": "", "name": "webdisk.clawsindia.in" }, { "id": "", "name": "test.clawsindia.in" }, { "id": "", "name": "sql.clawsindia.in" }, { "id": "", "name": "smtp.mail.clawsindia.in" }, { "id": "", "name": "shop.clawsindia.in" }, { "id": "", "name": "portal.clawsindia.in" }, { "id": "", "name": "pop3.clawsindia.in" }, { "id": "", "name": "pop.clawsindia.in" }, { "id": "", "name": "play.emailnic.online" }, { "id": "", "name": "pcda.admincoord.in" }, { "id": "", "name": "outlook.emailnic.online" }, { "id": "", "name": "old.clawsindia.in" }, { "id": "", "name": "ns1.clawsindia.in" }, { "id": "", "name": "mx4.clawsindia.in" }, { "id": "", "name": "mx10.clawsindia.in" }, { "id": "", "name": "mx0.clawsindia.in" }, { "id": "", "name": "mbox.clawsindia.in" }, { "id": "", "name": "mailrelay.clawsindia.in" }, { "id": "", "name": "mailgate.clawsindia.in" }, { "id": "", "name": "mail6.clawsindia.in" }, { "id": "", "name": "mail.clawsindia.in" }, { "id": "", "name": "m.emailnic.online" }, { "id": "", "name": "mail.defenseinsight.in" }, { "id": "", "name": "m.clawsindia.in" }, { "id": "", "name": "login.emailnic.online" }, { "id": "", "name": "localhost.clawsindia.in" }, { "id": "", "name": "lists.clawsindia.in" }, { "id": "", "name": "intranet.clawsindia.in" }, { "id": "", "name": "insight.defenseinsight.in" }, { "id": "", "name": "imap.clawsindia.in" }, { "id": "", "name": "help.clawsindia.in" }, { "id": "", "name": "gate.clawsindia.in" }, { "id": "", "name": "ftp.publicinfo.in" }, { "id": "", "name": "ftp.clawsindia.in" }, { "id": "", "name": "epar.emailnic-tech.email" }, { "id": "", "name": "email.publicinfo.in" }, { "id": "", "name": "email.parichay.online" }, { "id": "", "name": "email.gov.in.parichay.online" }, { "id": "", "name": "email.gov.in.estbsec.in" }, { "id": "", "name": "email.estbsec.in" }, { "id": "", "name": "email.emailnic.online" }, { "id": "", "name": "email.emailnic-tech.email" }, { "id": "", "name": "email.coordsec2.in" }, { "id": "", "name": "email.apsdelhicantt.in" }, { "id": "", "name": "dev.nic-tech.in" }, { "id": "", "name": "dev.clawsindia.in" }, { "id": "", "name": "dc-mx.ae172f95f2ec.defenseinsight.in" }, { "id": "", "name": "cpanel.clawsindia.in" }, { "id": "", "name": "blog.clawsindia.in" }, { "id": "", "name": "cloud.publicinfo.in" }, { "id": "", "name": "autoconfig.clawsindia.in" }, { "id": "", "name": "adfs.clawsindia.in" }, { "id": "", "name": "accounts.emailnic.online" }, { "id": "", "name": "account.emailnic.online" }, { "id": "", "name": "parichay.online" }, { "id": "", "name": "nic-tech.in" }, { "id": "", "name": "epar-online.in" }, { "id": "", "name": "emailnic.online" }, { "id": "", "name": "defenseinsight.in" }, { "id": "", "name": "certdehli.in" }, { "id": "", "name": "awesscholarship.in" }, { "id": "", "name": "apsdelhicantt.in" }, { "id": "", "name": "ordai.quest" }, { "id": "", "name": "secy-org.in" }, { "id": "", "name": "publicinfo.in" }, { "id": "", "name": "infosec2.in" }, { "id": "", "name": "esttsec.in" }, { "id": "", "name": "emailnic-tech.email" }, { "id": "", "name": "estbsec.in" }, { "id": "", "name": "coordsec2.in" }, { "id": "", "name": "clawsindia.in" }, { "id": "", "name": "awesindia.online" }, { "id": "", "name": "admincoord.in" }, { "id": "", "name": "fe7e7a5a1b1d634dec3fc9c6bc91c6e96ec635fece5af10cfac894fd228ca38d" }, { "id": "", "name": "fb30e5c67b92dc17d7a6e412f36d9b521842f8d7df38a00584c1362303b26655" }, { "id": "", "name": "ead993c1d537c239750e19a5700a58501dab319d5d271bf85137608448c1faa0" }, { "id": "", "name": "e89589e9ce043b28def17c91fa780322205ee08daa8b3cffe67b46bdae0e3a35" }, { "id": "", "name": "dfb72668791b4fe28884706b7756b02b951b43219e528b970ceb0369c86e3fd3" }, { "id": "", "name": "db9afd2c59f20e04db37ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604" }, { "id": "", "name": "db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32" }, { "id": "", "name": "d3d5d0b210c3fc5c679419d6aa9014f62dcd60b0582cd8d544357f6420407b36" }, { "id": "", "name": "cfb9ffb83877b421e95c9a2c3f65c106b9afb42babce7ba824671f9736bf0f7c" }, { "id": "", "name": "c177361992b207575b9aeb98aad7c2d522eace7ada6f1351434dd79a921ce260" }, { "id": "", "name": "af2201af8054e8e11eef7980fe15dc62eb2b7582f4f2bab4d8256f23f6db984e" }, { "id": "", "name": "bac7e6776c120b2b5da4d171afaea26144e77ad54f7516a0325260ee020b3f52" }, { "id": "", "name": "ae59ba12ec6a42ee5b08c3e2ce91ec02071b2f5ad9338e3a19d690bd68acb860" }, { "id": "", "name": "9c1ffafe0bb4388569fed2a8d4af591ce65ae00f47793ee97c07f686c5fab100" }, { "id": "", "name": "98b24fb7aaaece7556aea2269b4e908dd79ff332ddaa5111caec49123840f364" }, { "id": "", "name": "76d9654f28bcaa713a99caa2839a572fc999a726827a0216da71ac184cee6d19" }, { "id": "", "name": "8c8ef2d850bd9c987604e82571706e11612946122c6ab089bd54440c0113968e" }, { "id": "", "name": "74e0af32c47e3bbe6becfb4027bbdcc01fbe36c92c70ce8edd676cc9aa3d6437" }, { "id": "", "name": "5ef431a481c9baeb1d8cfaf6e1c323531a57c14a5b878575b267f2f969451fdb" }, { "id": "", "name": "6c2f18f5d70f794b8826ee2575d973ddb07cbf9d15115973fe92df74079b6412" }, { "id": "", "name": "5ecbc33fe3b345f2956cff566203e33b9390a3ed9923b990a46804880ae2f59b" }, { "id": "", "name": "5821744413146654397903128fece87d7d9d71c4ade5fd40cdcf3cece2faf8f0" }, { "id": "", "name": "4ddf0c70be0b81ab44f018521f788213de2ccf72b7a7f452f327b81172014182" }, { "id": "", "name": "38e1c0ca15ed83ed27148c31a31e0b33de627519ab2929d4aa69484534589086" }, { "id": "", "name": "3d1b3ba5e1c1d1626595098f042913bc39601c80ab2c934cb994d3c053f218c5" }, { "id": "", "name": "3845877017eb07be71820e8514502a3dcd24177540591c5ce2c13aca94caa4ac" }, { "id": "", "name": "2cec6bd5e9ff046771623cfa0802cacd78b7521bf61b144e9c8dfa77d994927c" }, { "id": "", "name": "37bfa72c2820bcf9adb8707ae624452e0b769bc1c1f2a24ebb518c6e1794f3e2" }, { "id": "", "name": "2abaae4f6794131108adf5b42e09ee5ce24769431a0e154feabe6052cfe70bf3" }, { "id": "", "name": "26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11" }, { "id": "", "name": "207334927fc39278e37afe124769ed980e9a8ae86b0346408af64c86a7c99e6a" }, { "id": "", "name": "1b1d1d775571232235ed6fb84413eb60593340c1c1ea3b77bd72d3b68058f55c" }, { "id": "", "name": "1cdf1f32f31e226f037fda562985e481b7aa0b809971f2e40b713b034cf1d44e" }, { "id": "", "name": "1844156b1a72a7daa8de4139175a2bdeb4bd326b9e3e1fb4dd2ae00b313b0a44" }, { "id": "", "name": "1387b77a41e5a244c03ea7f5c90a2e528abe0ed7a4e6cb659183f7112c546046" }, { "id": "", "name": "0c284271e3d90a6673d84cf6291f92f32ade7c7f760bbe135880b949b38046ee" }, { "id": "", "name": "0cb88c8b8e2969af26678df4d3c395101c49c7c808d2cb2d7a0f00f60bdddcba" }, { "id": "", "name": "0b5cf9bd917f0af03dd694ff4ce39b0b34a97c9f41b87feac1dc884a684f60ef" }, { "id": "", "name": "03666fb1c21d8a8cf38219691d2218d78eef5b00d20f26c25afde5d9e1daf80a" }, { "id": "", "name": "1e45d68106ca78f46be508427362b8ce24fdf5485c368f9369c913935cf04f99" }, { "id": "", "name": "c981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002" }, { "id": "", "name": "9709b0876c2a291cb57aa0646f9179d29d89abb2f8868663147ab0ca4e6c501b" }, { "id": "", "name": "51a372fee89f885741515fa6fdf0ebce860f98145c9883f2e3e35c0fe4432885" }, { "id": "", "name": "1e657d3047f3534dcd4539ce54db9f5901f7e53999bae340a850cc8d2aacc33c" }, { "id": "", "name": "d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529" } ], "malware": [ { "id": "legacy:malware:99863c862037dc7f", "name": "DISGOMOJI", "slug": "disgomoji" } ], "intrusion_sets": [ { "id": "684afc09-4c0f-43b3-9359-1f407c3aba56", "name": "UTA0137", "slug": "uta0137" } ], "attack_patterns": [ { "id": "b9f29eb3-d591-4561-9cf0-0230a299a11c", "name": "T1547.013" }, { "id": "0e4eda03-1586-4bcb-ab48-4f9b2ff766db", "name": "T1213.001" }, { "id": "9643a7e9-771b-4396-83a3-26fcec5200e4", "name": "T1021.006" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab", "name": "T1087.002" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2024-3400" }, { "id": "", "name": "CVE-2022-0847" } ], "others": [ { "id": "", "name": "India" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://raw.githubusercontent.com/volexity/threat-intel/main/2024/2024-06-13%20DISGOMOJI/indicators/iocs.csv", "https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/", "https://otx.alienvault.com/pulse/66712446e23b1d14e4f293eb" ] }