#FactCheck - Viral Video Claiming Iran’s Attack on US Airbase Debunked as 9/11 Footage

Introduction
‍

With the modernization of automobiles, so have the methods employed by criminals who seek to commit thefts. The old method of smashing a car window or bypassing an engine lock is no longer prevalent. Modern car thieves employ cloning techniques for keys and digital signals, and sophisticated methods to commit crimes without any traces left behind. In an era where intelligence is crucial, the forensic examination of car keys has become an indispensable tool for investigations, providing clues buried within ordinary car keys.
‍

‍

The Need for Car Key Forensics Today

‍

Daily, thousands of cars worth millions are being hacked or stolen around the globe. The shocking thing is that most of these hacks do not have any sign of breakage or forced entry. It is because the thieves use vulnerabilities in the wireless key systems to unlock the vehicles without leaving any trace behind. Therefore, car-key forensics has now become more important than ever before.

Forensic Value of Smart Key

The smart key is not just comprised of locking and unlocking features for vehicles. Actually, it operates as a miniature computer within the key itself. Information such as pairing records, frequency of use, or the last instance that the key was used to unlock something could be contained in smart keys, thus offering evidence of any criminal activity conducted using these items.

Patterns of Vehicle Theft

Through the examination of the chip in a key, one will be able to establish whether the key was legally programmed or had been tampered with by some other means. Such forensics become more important when trying to detect and monitor any car theft rings, which employ cloning machines or software.

Confirming Ownership and Authenticity

In cases involving insurance claims or fraud, smart key data can help confirm whether the person making a claim actually owned or used the car during the incident. It’s digital proof that goes beyond what paperwork or statements can show.

Strengthening Legal Cases

When brought to court, data doesn’t lie. A properly handled forensic examination of a car key can provide hard evidence — the kind that holds up under questioning and supports or disproves claims with complete accuracy. In many cases, this small device becomes the most reliable witness in the investigation.

‍

A Real-Life Example
‍

Consider the following scenario: An expensive SUV is stolen from a parking lot secured with security surveillance. No one is captured on camera and there is no sign of forced entry. After days of investigation, the police end up arresting a suspect with a smart key.

During forensic analysis of the smart key, it is revealed that:

• The transponder has an ID number which can be matched against the immobilizer installed in the vehicle.
• The rolling code counter has been incremented in such a way that the date corresponds with the report of theft of the vehicle.
• The extracted information helps match the pair timestamp of the key with the particular make and model of the vehicle.

All this from a single piece of evidence – the smart key.

‍

Inside a Smart Key: Where the Data Lives

‍

‍

An average smart key is not only a remote but also a multi-level set of data carriers:

‍

• Plastic Shell– could include serial numbers and information on the manufacture.
• Battery – helps calculate the time of using the key or detect any modifications.
• Antenna Coil – sends encrypted information to the immobilizer of a car. Draw the picture of this element.
• Microchip / EEPROM – holds key identification code, rolling code, VIN number, and/or other information of the vehicle.
• Buttons / sensors – could record any pressing or transmission actions in some cases.

All the little devices above, once properly studied via forensics software, provide valuable information.

‍

How the Investigator Uncovers the Truth
‍

In relation to investigating the true story about a vehicle, it is no different than handling other forms of digital evidence, as forensic analysts treat the car key in the same way. It is nothing more than an encrypted device in your hands, and using special techniques, they are able to reveal the information contained within the device.

Some of the methods used by modern forensic laboratories include:

‍

1. Intercepting Radio Signals

Any intelligent key transmits radio signals to communicate with a car. Specialists employ advanced antennas and radio frequency (RF) analysers to catch and analyse them. This way, it is possible to understand the interaction between the key and the car – how often was it used, what kind of authentication procedure takes place, and if the signal matches the car’s one or has been forged somehow.

2. Checking Out the Key’s Brain (Analysis of EEPROM)

There is always a special chip on the key that is responsible for its activity. The chip contains an important memory module (EEPROM – Electrically Erasable Programmable Read-Only Memory), which holds various data, including key IDs and rolling codes. It can be carefully retrieved via advanced tools. Thus, it is possible to determine whether somebody tried to tamper with the key.

3. The Correlation between the Key and Car’s Information

The information stored inside the key will not be used separately since investigators will correlate the key's data with that of the vehicle itself (ECU and immobilizer). If the two kinds of information coincide, the investigation may conclude that the key belongs to the vehicle. Otherwise, this may mean either cloning or tampering.

 4. Identifying the Tampering and Cloning Evidence

As was mentioned above, thieves sometimes resort to using unlawful programming devices for duplicating smart car keys. In order to detect possible cloning, experts examine the key using various diagnostic devices to find out whether the keys were modified by changing the encryption code, frequencies, and hardware itself.

At the end of the process, some kind of miracle occurs because of the following: all actions committed with this particular key become documented, recorded inside the device itself. Even if someone tries to hide anything or remove any information concerning this particular incident, there will always remain some data.

‍

Car Key Forensics in the Future
‍

The evolution of cars to connect with other devices and adopt self-driving technologies requires new investigative methods to be used for vehicle-related crimes. Advanced car keys or smartphone apps that replace physical keys will likely incorporate biometric authentication, cloud integration, or blockchain records of key activity in the near future.

Such improvements will pose several threats and offer many benefits:

• Artificial intelligence tools can determine if the car key is cloned based on its behaviour pattern.
• Blockchain validation ensures all key-related activities are recorded and cannot be altered.
• Cyber-forensic protocols will become increasingly necessary for investigating criminal activity related to vehicles.

Car key forensics technology will not only allow solving crimes but may become instrumental in crime prevention.

‍

Conclusion
‍

A car key in this era is more than just an unlocking mechanism; it is a miniature data storage facility, which can yield information about the user, intentions, and access rights. The more cars become technologically advanced, the more the examination of smart keys becomes necessary as part of correlating physical evidence with digital investigation. It clearly indicates how small objects such as keys can play pivotal roles in cracking cases.

‍

Executive Summary:

Recently, a viral social media post alleged that the Delhi Metro Rail Corporation Ltd. (DMRC) had increased ticket prices following the BJP’s victory in the Delhi Legislative Assembly elections. After thorough research and verification, we have found this claim to be misleading and entirely baseless. Authorities have asserted that no fare hike has been declared.

Claim:

Viral social media posts have claimed that the Delhi Metro Rail Corporation Ltd. (DMRC) increased metro fares following the BJP's victory in the Delhi Legislative Assembly elections.

‍

‍

‍

‍

Fact Check:

After thorough research, we conclude that the claims regarding a fare hike by the Delhi Metro Rail Corporation Ltd. (DMRC) following the BJP’s victory in the Delhi Legislative Assembly elections are misleading. Our review of DMRC’s official website and social media handles found no mention of any fare increase.Furthermore, the official X (formerly Twitter) handle of DMRC has also clarified that no such price hike has been announced. We urge the public to rely on verified sources for accurate information and refrain from spreading misinformation.

‍

‍

‍

‍

Conclusion:

Upon examining the alleged fare hike, it is evident that the increase pertains to Bengaluru, not Delhi. To verify this, we reviewed the official website of Bangalore Metro Rail Corporation Limited (BMRCL) and cross-checked the information with appropriate evidence, including relevant images. Our findings confirm that no fare hike has been announced by the Delhi Metro Rail Corporation Ltd. (DMRC).

‍

‍

• Claim: Delhi Metro price Hike after BJP’s victory in election 
• Claimed On: X (Formerly Known As Twitter)
• Fact Check: False and Misleading

Executive Summary:

New Linux malware has been discovered by a cybersecurity firm Volexity, and this new strain of malware is being referred to as DISGOMOJI. A Pakistan-based threat actor alias ‘UTA0137’ has been identified as having espionage aims, with its primary focus on Indian government entities.  Like other common forms of backdoors and botnets involved in different types of cyberattacks, DISGOMOJI, the malware  allows the use of commands to capture screenshots, search for files to steal, spread additional payloads, and transfer files. DISGOMOJI  uses Discord (messaging service)  for Command & Control (C2)  and uses emojis  for C2 communication. This malware targets Linux operating systems.

The DISCOMOJI Malware:  

• The DISGOMOJI malware opens a specific channel in a Discord server and every new channel corresponds to a new victim. This means that the attacker can communicate with the victim one at a time.

• This particular malware connects with the attacker-controlled Discord server using Emoji, a form of relay protocol. The attacker provides unique emojis as instructions, and the malware uses emojis as a feedback to the subsequent command status.

• For instance, the ‘camera with flash’ emoji is used to screenshots the device of the victim or to steal, the ‘fox’ emoji cracks all Firefox profiles, and the ‘skull’ emoji kills the malware process.

• This C2 communication is done using emojis to ensure messaging between infected contacts, and it is almost impossible for Discord to shut down the malware as it can always change the account details of Discord it is using once the maliciou server is blocked.

• The malware also has capabilities aside from the emoji-based C2 such as network probing, tunneling, and data theft that are needed to help the UTA0137 threat actor in achieving its espionage goals.

Specific emojis used for different commands by UTA0137:

• Camera with Flash (📸): Captures a picture of the target device’s screen as per the victim’s directions.

• Backhand Index Pointing Down (👇): Extracts files from the targeted device and sends them to the command channel in the form of attachments.

• Backhand Index Pointing Right (👉): This process involves sending a file found on the victim’s device to another web-hosted file storage service known as Oshi or oshi[. ]at.

• Backhand Index Pointing Left (👈): Sends a file from the victim’s device to transfer[. ]sh, which is an online service for sharing files on the Internet.

• Fire (🔥): Finds and transmits all files with certain extensions that exist on the victim’s device, such as *. txt, *. doc, *. xls, *. pdf, *. ppt, *. rtf, *. log, *. cfg, *. dat, *. db, *. mdb, *. odb, *. sql, *. json, *. xml, *. php, *. asp, *. pl, *. sh, *. py, *. ino, *. cpp, *. java,

• Fox (🦊): This works by compressing all Firefox related profiles in the affected device. 

• Skull (💀): Kills the malware process in windows using ‘os. Exit()’

• Man Running (🏃‍♂️):  Execute a command on a victim’s device. This command receives an argument, which is the command to execute.

• Index Pointing up (👆) : Upload a file to the victim's device. The file to upload is attached along with this emoji

Analysis:   

The analysis was carried out for one of the indicator of compromised SHA-256 hash file-  C981aa1f05adf030bacffc0e279cf9dc93cef877f7bce33ee27e9296363cf002.

It is found that most of the vendors have marked the file as trojan in virustotal and the graph explains the malicious nature of the contacted domains and IPs.

‍

Discord & C2 Communication  for UTA0137:

• Stealthiness: Discord is a well-known messaging platform used for different purposes, which means that sending any messages or files on the server should not attract suspicion. Such stealthiness makes it possible for UTA0137 to remain dormant for greater periods before launching an attack.

• Customization: UTA0137 connected to Discord is able to create specific channels for distinct victims on the server. Such a framework allows the attackers to communicate with each of the victims individually to make a process more accurate and efficient.

• Emoji-based protocol: For C2 communication, emojis really complicates the attempt that Discord might make to interfere with the operations of the malware. In case the malicious server gets banned, malware could easily be recovered, especially by using the Discord credentials from the C2 server.

• Persistence: The malware, as stated above, has the ability to perpetually exist to hack the system and withstand rebooting of systems so that the virus can continue to operate without being detected by the owner of the hacked system.

• Advanced capabilities: Other features of DISGOMOJI are the Network Map using Nmap scanner, network tunneling through Chisel and Ligolo and Data Exfiltration by File Sharing services. These capabilities thus help in aiding the espionage goals of UTA0137.

• Social engineering: The virus and the trojan can show the pop-up windows and prompt messages, for example the fake update for firefox and similar applications, where the user can be tricked into inputting the password.

• Dynamic credential fetching: The malware does not write the hardcoded values of the credentials in order to connect it to the discord server. This also inconveniences analysts as they are unable to easily locate the position of the C2 server.

• Bogus informational and error messages: They never show any real information or errors because they do not want one to decipher the malicious behavior easily.

Recommendations to mitigate the risk of UTA0137:

• Regularly Update Software and Firmware: It is essential to regularly update all the application software and firmware of different devices, particularly, routers, to prevent hackers from exploiting the discovered and disclosed flaws. This includes fixing bugs such as CVE-2024-3080 and CVE-2024-3912 on ASUS routers, which basically entails solving a set of problems.

• Implement Multi-Factor Authentication: There are statistics that show how often user accounts are attacked, it is important to incorporate multi-factor authentication to further secure the accounts.

• Deploy Advanced Malware Protection: Provide robust guard that will help the user recognize and prevent the execution of the DISGOMOJI malware and similar threats.

• Enhance Network Segmentation: Utilize stringent network isolation mechanisms that seek to compartmentalize the key systems and data from the rest of the network in order to minimize the attack exposure.

• Monitor Network Activity: Scanning Network hour to hour for identifying and handling the security breach and the tools such as Nmap, Chisel, Ligolo etc can be used.

• Utilize Threat Intelligence: To leverage advanced threats intelligence which will help you acquire knowledge on previous threats and vulnerabilities and take informed actions.

• Secure Communication Channels: Mitigate the problem of the leakage of developers’ credentials and ways of engaging with the discord through loss of contact to prevent abusing attacks or gaining control over Discord as an attack vector.

• Enforce Access Control: Regularly review and update the user authentication processes by adopting stricter access control measures that will allow only the right personnel to access the right systems and information.

• Conduct Regular Security Audits: It is important to engage in security audits periodically in an effort to check some of the weaknesses present within the network or systems.

• Implement Incident Response Plan: Conduct a risk assessment, based on that design and establish an efficient incident response kit that helps in the early identification, isolation, and management of security breaches.

• Educate Users: Educate users on cybersecurity hygiene, opportunities to strengthen affinity with the University, and conduct retraining on threats like phishing and social engineering.

Conclusion:

The new threat actor named UTA0137 from Pakistan who was utilizing DISGOMOJI malware to attack Indian government institutions using embedded emojis with a command line through the Discord app was discovered by Volexity. It has the capability to exfiltrate and aims to steal the data of government entities. The UTA0137 was continuously improved over time to permanently communicate with victims. It underlines the necessity of having strong protection from viruses and hacker attacks, using secure passwords and unique codes every time, updating the software more often and having high-level anti-malware tools. Organizations can minimize advanced threats, the likes of DISGOMOJI and protect sensitive data by improving network segmentation, continuous monitoring of activities, and users’ awareness.

References:

https://otx.alienvault.com/pulse/66712446e23b1d14e4f293eb

https://thehackernews.com/2024/06/pakistani-hackers-use-disgomoji-malware.html?m=1

https://cybernews.com/news/hackers-using-emojis-to-command-malware/

https://www.blackhatethicalhacking.com/news/disgomoji-new-linux-malware-uses-emojis-for-command-execution/

https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/

‍