Hackers are now using emoji to speed up their cyberattacks — how to stay safe

An emoji on a hacked phone on top of a laptop
(Image credit: Shutterstock)

Emojis have become quite popular over the last few years as a means to quickly express ideas and emotions. However, hackers have now devised a clever new way to use them in their attacks.

As reported by Cybernews, a group of hackers have figured out how to modify the popular messaging service Discord to use it for command and control (C2). Hackers using Discord in their attacks is nothing new but a report from the cybersecurity firm Volexity highlights how this group is using the service alongside a number of common emojis.

Earlier this year, the Indian government came under attack from a Linux malware called Digomoji. Apparently the hackers behind it hail from Pakistan and have used emojis for C2 communication in several successful espionage campaigns.

To gain initial access, the researchers believe the hackers responsible used phishing attacks and malicious documents as a lure. Once installed on a vulnerable system though, the Digomoji malware creates a dedicated channel in a Discord server with each victim having their own separate channel.

From here, Disgomoji sends a check-in message back to the hackers with the target machine’s IP, username, hostname, OS and its current working directory. To make matters worse, the malware maintains persistence and remains on an infected system even after a reboot.

While we don’t have to worry about this particular malware strain yet, how the hackers behind this campaign use emojis to speed up their malicious activities is incredibly interesting and it could be a tactic we see other threat actors copy going forward. 

Hacking with emojis

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

Instead of writing out long strings of commands, hackers that have deployed Disgomoji onto a targeted system can use emoji to communicate with the malware instead. They send an emoji to the Discord channel for that particular target and the malware does the rest. However, Disgomoji uses the Clock emoji to let the hackers know a command has been processed and a Check Mark Button emoji is displayed when that command has been successfully carried out.

Here’s a table from Volexity with some of the other emoji used to communicate with the malware:

Swipe to scroll horizontally
EmojiEmoji NamePurpose
🏃‍♂️Man RunningExecute a command on the victim’s device
📸Camera with FlashTake a screenshot of a victim’s screen and upload it to the command channel
👇Pointing DownDownload files from the victim’s device and upload them to the command channel as attachments
☝️Pointing UpUpload a file to the victim’s device
👉Pointing RightUpload a file from the victim’s device to a remote file-storage service
👈Pointing LeftUpload a file from the victim’s device to a different remote file-sharing service
🔥FireFind and send all files matching a predefined extension list that are present on a victim’s device
🦊FoxZip all Firefox profiles form the victim’s device
💀SkullTerminate the malware process

Discord also isn’t able to disrupt Disgomoji’s operations due to the fact that once a malicious server has been banned, the malware is able to restore itself by updating its credentials from a hacker-controlled C2 server.

The malware also has additional features to carry out its operations which include scanning a victim’s network, network tunneling and accessing a file sharing service for download and hosting the data it has stolen. Surprisingly, Disgomoji can also pretend to be a Firefox update and it can even ask victims to manually type in their passwords.

How to stay safe from hackers

Best antivirus software

(Image credit: Shutterstock)

Even though this particular malware strain likely won’t be used to target consumers anytime soon, you still need to be on the lookout for hackers if you don’t want to have your bank account drained or your identity stolen.

The easiest and simplest way to protect yourself from hackers is by running up to date software. This is because hackers love to target users running older software which still contains unpatched vulnerabilities. Though it may be annoying, taking the time to install that new OS or Chrome update could save you from falling victim to hackers.

From there, you want to make sure you’re using the best antivirus software on your Windows PC, the best Mac antivirus software on your Apple computer and one of the best Android antivirus apps on your smartphone. 

If you have an iPhone, both Intego Internet Security X9 and Intego Mac Premium Bundle X9 can scan your Apple smartphone for viruses but it needs to be plugged into your Mac via a USB cable. The same goes for your iPad. The reason you need to resort to using Mac antivirus software to scan your mobile devices is due to Apple’s own restrictions when it comes to malware scanning on both iOS and iPadOS.

At the same time, you want to be extra careful when checking your inbox or your messages to avoid phishing attacks. Look out for emails or messages from unknown senders, avoid downloading any attachments or files and don’t click on any links they contain. You also want to avoid letting your emotions get the best of you since hackers often try to instill a sense of urgency to get you to act quickly and not think things through.

Hackers are always coming up with clever new ways to repurpose popular tools, software and services and now it looks like they’ve managed to do the exact same thing with emoji.

More from Tom's Guide

Network
Arrow
Intego
Norton
Contract Length
Arrow
Showing 2 of 2 deals
Filters
Arrow
TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.