Saturday, May 18, 2024

Threat Actors Abuse Discord to Blend Within Organizations’ Network Traffic

Discord has become a household name in online gaming and digital communication. 

Gamers, friends, and families flock to this platform to chat, share, and collaborate. Discord is one of the most widely used communication tools worldwide, with millions of users.

Yet, this widespread popularity has also attracted a new audience – malicious actors. The Trellix Advanced Research Center has recently unearthed a disturbing trend: cybercriminals exploit Discord, turning it into a fertile ground for their wicked activities.

In the past, we’ve witnessed malware that abused Discord’s infrastructure, mainly focusing on information theft and Remote Access Trojans (RATs)

The cybersecurity landscape is experiencing a pivotal moment as a new threat emerges.

Recently, Trellix researchers have come across a sample specifically aimed at vital Ukrainian infrastructure.

This marks a significant shift in the Advanced Persistent Threat (APT) activity, as Discord has become the latest platform to be targeted.

The findings revealed that multiple malware families have started leveraging Discord, with clear patterns emerging regarding when this abuse began.

The Discord Conundrum

Discord is a web-based application that functions over HTTP/HTTPS. This very feature is what makes it enticing to malicious actors. 

It is prevalent not only in casual networks but is also extensively enabled in corporate environments. 

This blending of contexts provides a convenient camouflage, hiding their activities from security software and researchers.

Malicious software’s exploitation of Discord predominantly focuses on two techniques: downloading additional files and exfiltrating information.

One favored method is through Discord’s Content Delivery Network (CDN), allowing attackers to upload files that can be downloaded later. 

The modus operandi appears to be quite straightforward. The perpetrator fabricates a Discord account to transfer the malicious file, which they will then share discreetly through private messaging.

After uploading a file, it is not necessary for it to be made public in order for it to be accessible. The link to the file can be easily copied and used to download the “second stage” through a simple GET request.

Discord’s Webhooks: A Malicious Backdoor

Data exfiltration through Discord is accomplished using webhooks, an automation feature that allows attackers to send information and files from the victim’s machine. 

This process involves creating a webhook associated with a specific channel on a private server, making it an ideal method for extracting sensitive data.

Webhook creation on Discord
      Webhook creation on Discord (source:

Historically, APT groups have refrained from Discord due to the platform’s limitations. It’s a double-edged sword, as Discord can access their data and potentially close their accounts. 

However, a recent discovery of a sample targeting Ukrainian critical infrastructures suggests a possible change in this trend. 

While the sample isn’t definitively linked to a known APT group, it’s a development that raises concerns and requires ongoing investigation.

Technical Analysis and Discoveries

The technical analysis of the sample in question reveals a multi-stage attack involving PowerShell scripts and Discord’s webhooks for data exfiltration. 

The final payload aims at gathering information from the victim’s system. Interestingly, the malware families use Discord for their activities. 

Threatray’s analysis shows the prevalence of these activities starting in late 2021, with malware families downloading a variety of payloads via Discord’s CDN.

Most frequently downloaded malware families via Discord's CDN
Most frequently downloaded malware families via Discord’s CDN

Discord’s webhooks have also become popular for malware families looking to exfiltrate stolen data. 

The data researchers highlight the critical malware families exploiting this method, including Mercurial Grabber, AgentTesla, and Umbral Stealer.

The usage of Discord by APT groups is a recent development, signaling a new and complex dimension of the threat landscape. 

While APTs may employ Discord for exploration or early-stage activities, they may still rely on more secure methods for later stages.

However, general malware poses a different challenge. From trojans to ransomware, they have been using Discord’s capabilities for years, extending the range of business threats.

To ensure the proper detection of these malicious activities and safeguard systems, monitoring and controlling Discord communications have become essential, even to the extent of blocking them if necessary.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles