UPX-loaded ELF, apart from DSOP.pdf, contains the DISGOMOJI malware payload, which when executed, reads and extracts system information including IP address, username, hostname, operating system, and list active current. Apart from the main functions, DISGOMOJI also downloads a shell script uevent_seqnum.sh, to check connected USB devices and copy the contents of those devices to a local folder in the infected system.
The research company, in addition, found this campaign occasionally using the Dirty Pipe vulnerability (tracked as CVE-2022-0847), a privilege escalation bug that affects BOSS9 systems, with uncontrolled exploits even months after the release of a fix.
Discord C2 on the run
The campaign uses a custom fork of the open source project discord-C2. A modified version of this project uses emojis from DISGOMOJI’s C2 social media service Discord.
Source link