The newly discovered Linux malware, DISGOMOJI, has been attributed to a Pakistan-based threat actor known as UTA0137.
It is written in Golang and compiled for Linux systems.
Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India.
Based on Volexitys analysis, UTA0137s campaigns appear to have been successful.
Volexity also uncovered that UTA0137 used DirtyPipe (CVE-2022-0847) privilege escalation exploits against vulnerable BOSS 9 systems.
The infection chain started with a UPX-packed ELF written in Golang and delivered within a ZIP file.
The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, clawsindia[.
]in., which is dropped in a hidden folder named .x86_64-linux-gnu on the users system.
It maintains persistence and can survive system reboots.
DISGOMOJI preserves persistence on the system using cron jobs and can survive system reboots.
DISGOMOJI listens for new messages in the command channel on the Discord server.
The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI.
UTA0137 has improved DISGOMOJI over time, the cybersecurity firm said.
source: www.techworm.net
