Emojis have become quite popular over the last few years as a means to quickly express ideas and emotions. However, hackers have now devised a clever new way to use them in their attacks.
As reported by Cybernews, a group of hackers have figured out how to modify the popular messaging service Discord to use it for command and control (C2). Hackers using Discord in their attacks is nothing new but a report from the cybersecurity firm Volexity highlights how this group is using the service alongside a number of common emojis.
Earlier this year, the Indian government came under attack from a Linux malware called Digomoji. Apparently the hackers behind it hail from Pakistan and have used emojis for C2 communication in several successful espionage campaigns.
To gain initial access, the researchers believe the hackers responsible used phishing attacks and malicious documents as a lure. Once installed on a vulnerable system though, the Digomoji malware creates a dedicated channel in a Discord server with each victim having their own separate channel.
From here, Disgomoji sends a check-in message back to the hackers with the target machine’s IP, username, hostname, OS and its current working directory. To make matters worse, the malware maintains persistence and remains on an infected system even after a reboot.
While we don’t have to worry about this particular malware strain yet, how the hackers behind this campaign use emojis to speed up their malicious activities is incredibly interesting and it could be a tactic we see other threat actors copy going forward.
Hacking with emojis
Instead of writing out long strings of commands, hackers that have deployed Disgomoji onto a targeted system can use emoji to communicate with the malware instead. They send an emoji to the Discord channel for that particular target and the malware does the rest. However, Disgomoji uses the Clock emoji to let the hackers know a command has been processed and a Check Mark Button emoji is displayed when that command has been successfully carried out.
Here’s a table from Volexity with some of the other emoji used to communicate with the malware:
| Emoji | Emoji Name | Purpose |
|---|---|---|
| 🏃♂️ | Man Running | Execute a command on the victim’s device |
| 📸 | Camera with Flash | Take a screenshot of a victim’s screen and upload it to the command channel |
| 👇 | Pointing Down | Download files from the victim’s device and upload them to the command channel as attachments |
| ☝️ | Pointing Up | Upload a file to the victim’s device |
| 👉 | Pointing Right | Upload a file from the victim’s device to a remote file-storage service |
| 👈 | Pointing Left | Upload a file from the victim’s device to a different remote file-sharing service |
| 🔥 | Fire | Find and send all files matching a predefined extension list that are present on a victim’s device |
| 🦊 | Fox | Zip all Firefox profiles form the victim’s device |
| 💀 | Skull | Terminate the malware process |
Discord also isn’t able to disrupt Disgomoji’s operations due to the fact that once a malicious server has been banned, the malware is able to restore itself by updating its credentials from a hacker-controlled C2 server.
The malware also has additional features to carry out its operations which include scanning a victim’s network, network tunneling and accessing a file sharing service for download and hosting the data it has stolen. Surprisingly, Disgomoji can also pretend to be a Firefox update and it can even ask victims to manually type in their passwords.
How to stay safe from hackers
Even though this particular malware strain likely won’t be used to target consumers anytime soon, you still need to be on the lookout for hackers if you don’t want to have your bank account drained or your identity stolen.
The easiest and simplest way to protect yourself from hackers is by running up to date software. This is because hackers love to target users running older software which still contains unpatched vulnerabilities. Though it may be annoying, taking the time to install that new OS or Chrome update could save you from falling victim to hackers.
From there, you want to make sure you’re using the best antivirus software on your Windows PC, the best Mac antivirus software on your Apple computer and one of the best Android antivirus apps on your smartphone.
If you have an iPhone, both Intego Internet Security X9 and Intego Mac Premium Bundle X9 can scan your Apple smartphone for viruses but it needs to be plugged into your Mac via a USB cable. The same goes for your iPad. The reason you need to resort to using Mac antivirus software to scan your mobile devices is due to Apple’s own restrictions when it comes to malware scanning on both iOS and iPadOS.
At the same time, you want to be extra careful when checking your inbox or your messages to avoid phishing attacks. Look out for emails or messages from unknown senders, avoid downloading any attachments or files and don’t click on any links they contain. You also want to avoid letting your emotions get the best of you since hackers often try to instill a sense of urgency to get you to act quickly and not think things through.
Hackers are always coming up with clever new ways to repurpose popular tools, software and services and now it looks like they’ve managed to do the exact same thing with emoji.
More from Tom's Guide
- I’m a security editor and this is how I create strong passwords that are also easy to remember
- Millions of Discord users being tracked by spy site — what you need to know
- This thief stole hundreds of iPhones and drained users’ bank accounts — 3 essential tips for staying safe
