Discord has become a household name in online gaming and digital communication.
Gamers, friends, and families flock to this platform to chat, share, and collaborate. Discord is one of the most widely used communication tools worldwide, with millions of users.
Yet, this widespread popularity has also attracted a new audience – malicious actors. The Trellix Advanced Research Center has recently unearthed a disturbing trend: cybercriminals exploit Discord, turning it into a fertile ground for their wicked activities.
In the past, we’ve witnessed malware that abused Discord’s infrastructure, mainly focusing on information theft and Remote Access Trojans (RATs).
The cybersecurity landscape is experiencing a pivotal moment as a new threat emerges.
Recently, Trellix researchers have come across a sample specifically aimed at vital Ukrainian infrastructure.
This marks a significant shift in the Advanced Persistent Threat (APT) activity, as Discord has become the latest platform to be targeted.
The findings revealed that multiple malware families have started leveraging Discord, with clear patterns emerging regarding when this abuse began.
The Discord Conundrum
Discord is a web-based application that functions over HTTP/HTTPS. This very feature is what makes it enticing to malicious actors.
It is prevalent not only in casual networks but is also extensively enabled in corporate environments.
This blending of contexts provides a convenient camouflage, hiding their activities from security software and researchers.
Malicious software’s exploitation of Discord predominantly focuses on two techniques: downloading additional files and exfiltrating information.
One favored method is through Discord’s Content Delivery Network (CDN), allowing attackers to upload files that can be downloaded later.
The modus operandi appears to be quite straightforward. The perpetrator fabricates a Discord account to transfer the malicious file, which they will then share discreetly through private messaging.
After uploading a file, it is not necessary for it to be made public in order for it to be accessible. The link to the file can be easily copied and used to download the “second stage” through a simple GET request.
Discord’s Webhooks: A Malicious Backdoor
Data exfiltration through Discord is accomplished using webhooks, an automation feature that allows attackers to send information and files from the victim’s machine.
This process involves creating a webhook associated with a specific channel on a private server, making it an ideal method for extracting sensitive data.
Historically, APT groups have refrained from Discord due to the platform’s limitations. It’s a double-edged sword, as Discord can access their data and potentially close their accounts.
However, a recent discovery of a sample targeting Ukrainian critical infrastructures suggests a possible change in this trend.
While the sample isn’t definitively linked to a known APT group, it’s a development that raises concerns and requires ongoing investigation.
Technical Analysis and Discoveries
The technical analysis of the sample in question reveals a multi-stage attack involving PowerShell scripts and Discord’s webhooks for data exfiltration.
The final payload aims at gathering information from the victim’s system. Interestingly, the malware families use Discord for their activities.
Threatray’s analysis shows the prevalence of these activities starting in late 2021, with malware families downloading a variety of payloads via Discord’s CDN.
Discord’s webhooks have also become popular for malware families looking to exfiltrate stolen data.
The data researchers highlight the critical malware families exploiting this method, including Mercurial Grabber, AgentTesla, and Umbral Stealer.
The usage of Discord by APT groups is a recent development, signaling a new and complex dimension of the threat landscape.
While APTs may employ Discord for exploration or early-stage activities, they may still rely on more secure methods for later stages.
However, general malware poses a different challenge. From trojans to ransomware, they have been using Discord’s capabilities for years, extending the range of business threats.
To ensure the proper detection of these malicious activities and safeguard systems, monitoring and controlling Discord communications have become essential, even to the extent of blocking them if necessary.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
