The UPX-packed ELF, other than DSOP.pdf, has the DISGOMOJI malware payload which, upon execution, reads and exfiltrates system data together with IP tackle, username, hostname, working system, and the present working listing. Aside from the primary capabilities, DISGOMOJI additionally downloads a shell script uevent_seqnum.sh, to verify for linked USB gadgets and replica the content material of these gadgets to an area folder on the contaminated system.
The analysis agency, moreover, found the marketing campaign sometimes utilizing the Soiled Pipe vulnerability (tracked as CVE-2022-0847), a privilege escalation bug that impacts BOSS9 techniques, which has wild exploits even months after a repair was rolled out.
Discord C2 for evasion
The marketing campaign makes use of a customized fork of the open supply mission discord-C2. The modified model of this mission makes use of emojis within the Discord service for DISGOMOJI’s C2 communications.