The UPX-packed ELF, apart from DSOP.pdf, has the DISGOMOJI malware payload which, upon execution, reads and exfiltrates system information including IP address, username, hostname, operating system, and the current working directory. Apart from the main functions, DISGOMOJI also downloads a shell script uevent_seqnum.sh, to check for connected USB devices and copy the content of those devices to a local folder on the infected system.

The research firm, additionally, discovered the campaign occasionally using the Dirty Pipe vulnerability (tracked as CVE-2022-0847), a privilege escalation bug that affects BOSS9 systems, which has wild exploits even months after a fix was rolled out.

Discord C2 for evasion

The campaign uses a custom fork of the open source project discord-C2. The modified version of this project uses emojis in the Discord service for DISGOMOJI’s C2 communications.