UTA0137, a cyber espionage group linked to Pakistani hackers, has deployed DISGOMOJI, a Golang malware disguised as emojis, to target Indian organizations. Volexity’s analysis reveals IoCs and related artifacts indicating a DNS-focused threat hunt around DISGOMOJI. #DISGOMOJI #UTA0137 #TransparentTribe #IndianOrganizations #Volexity #Namecheap
Keypoints
- UTA0137 is a cyber espionage group believed to be affiliated with Pakistani hackers.
- DISGOMOJI is malware written in Golang, disguised as emojis.
- The attack primarily targets Indian organizations.
- Volexity disclosed 24 IoCs, including 19 domains and five IP addresses.
- Additional artifacts include five email-connected domains and eight malicious IP addresses; WhoisXMLAPI expansions mention 320 IP-connected domains and 31 string-connected domains.
- Most IoCs were registered between 2023 and 2024, with a majority administered by Namecheap, Inc., and the U.S. as the top registrant country.
- Further analysis revealed connections between the IoCs and additional malicious domains and IP addresses.
MITRE Techniques
- [T1071.001] Initial Access – Utilization of newly registered domains (NRDs) to facilitate initial access. ‘Utilization of newly registered domains (NRDs) to facilitate initial access.’
- [T1071] Command and Control – Malware communicates through DNS queries to resolve domains. ‘Malware communicates through DNS queries to resolve domains.’
- [T1041] Exfiltration – Possible data exfiltration through the established command and control channels. ‘Possible data exfiltration through the established command and control channels.’
Indicators of Compromise
- [Domain] IoCs – 19 domains identified as IoCs, and 5 email-connected domains – IoCs related to the DISGOMOJI DNS threat hunt.
- [IP Address] IoCs – 5 IP addresses identified as IoCs, and 8 additional malicious IP addresses.
Read more: https://circleid.com/posts/20240808-on-a-dns-threat-hunt-for-disgomoji