Emojis have become an essential tool to communicate quickly and expressively. However, its use has transcended the scope of everyday communication and has been exploited by cybercriminals to carry out malicious actions, with the aim of reaching bank accounts.
Recently, A new modality has been discovered in which criminals use emojis to trick users and steal money from their bank accounts. This technique has grown due to its high level of effectiveness, which is why there have been millions of users affected and exposed to these risks.
To achieve this, cybercriminals have found ways to use emojis in their attacks, transforming them into a tool to execute malicious commands on compromised systemss.
A particular case is the malware known as DISGOMOJI, which has been identified in various cyberespionage and information theft campaigns. This malware, developed in Golang and designed for Linux systems, uses the Discord messaging service for command and control (C2) of infected devices.
What is innovative about DISGOMOJI is its ability to receive and execute commands through specific emojis sent in Discord channelsone of the most used applications by gamers and content creators.
Criminals distribute malware using phishing emails that contain malicious links or documents. By opening these documents, the malware is installed on the victim’s system.
Once installed, DISGOMOJI creates a dedicated channel on a Discord server for each victim. This channel is used to send and receive commands between attackers and malware.
- Commands based on emojis:
Attackers send specific emojis to the Discord channel to execute malicious actions. For example, The camera emoji instructs the malware to take a screenshot of the infected device, while the thumbs-down emoji instructs the download of files from the device.
The malware uses advanced techniques to maintain persistence on the system, such as modification to survive reboots, and can exploit known vulnerabilities to escalate privileges and gain full system access.
- Information theft and data exfiltration:
DISGOMOJI is capable of collecting and exfiltrating a wide range of sensitive data, including user credentials, banking information and personal files.. It uses third-party storage services to store and transfer this data to attackers.
The malware can also copy files from USB devices connected to the infected system, expanding its ability to steal information.
A recent example of this modality is the cyber espionage campaign directed against government entities in India. This group, allegedly based in Pakistan, has used DISGOMOJI to infiltrate government systems and exfiltrate sensitive data.
According to Volexity, a threat research firm, attackers have exploited vulnerabilities in Linux systems used by the Indian government to maintain persistent access and steal critical information.
The sophistication and creativity of these attacks require users and organizations to take proactive measures to protect themselves. Below are some key recommendations:
- Recognize signs of phishing: Users should be educated to recognize and avoid suspicious emails and links that could be phishing attempts. Do not open documents or attachments from unknown or unverified sources.
Technical security measures– Keep all systems and applications up to date to protect against known vulnerabilities. Implement robust security solutions that include antivirus, firewalls, and intrusion detection systems.
- Protection of credentials and sensitive data: use two-factor authentication (2FA) to add an extra layer of security on critical accounts. Also implement password managers to create and store secure and unique passwords.
- Monitoring and response to incidents– Perform security audits and regularly monitor systems for suspicious activity. Develop and test incident response plans to minimize the impact of a potential attack.
