The UPX-packed ELF, aside from DSOP.pdf, has the DISGOMOJI malware payload which, upon execution, reads and exfiltrates system data together with IP tackle, username, hostname, working system, and the present working listing. Aside from the principle capabilities, DISGOMOJI additionally downloads a shell script uevent_seqnum.sh, to examine for linked USB units and replica the content material of these units to an area folder on the contaminated system.
The analysis agency, moreover, found the marketing campaign sometimes utilizing the Soiled Pipe vulnerability (tracked as CVE-2022-0847), a privilege escalation bug that impacts BOSS9 methods, which has wild exploits even months after a repair was rolled out.
Discord C2 for evasion
The marketing campaign makes use of a customized fork of the open supply venture discord-C2. The modified model of this venture makes use of emojis within the Discord service for DISGOMOJI’s C2 communications.
