The UPX-packed ELF, aside from DSOP.pdf, has the DISGOMOJI malware payload which, upon execution, reads and exfiltrates system info together with IP tackle, username, hostname, working system, and the present working listing. Other than the principle features, DISGOMOJI additionally downloads a shell script uevent_seqnum.sh, to test for related USB gadgets and duplicate the content material of these gadgets to an area folder on the contaminated system.
The analysis agency, moreover, found the marketing campaign often utilizing the Soiled Pipe vulnerability (tracked as CVE-2022-0847), a privilege escalation bug that impacts BOSS9 programs, which has wild exploits even months after a repair was rolled out.
Discord C2 for evasion
The marketing campaign makes use of a customized fork of the open supply challenge discord-C2. The modified model of this challenge makes use of emojis within the Discord service for DISGOMOJI’s C2 communications.