Friday, September 13, 2024
HomeCyber Security NewsThreat Actors Abuse Discord to Blend Within Organizations' Network Traffic

Threat Actors Abuse Discord to Blend Within Organizations’ Network Traffic

Published on

Discord has become a household name in online gaming and digital communication. 

Gamers, friends, and families flock to this platform to chat, share, and collaborate. Discord is one of the most widely used communication tools worldwide, with millions of users.

Yet, this widespread popularity has also attracted a new audience – malicious actors. The Trellix Advanced Research Center has recently unearthed a disturbing trend: cybercriminals exploit Discord, turning it into a fertile ground for their wicked activities.

- Advertisement - EHA

In the past, we’ve witnessed malware that abused Discord’s infrastructure, mainly focusing on information theft and Remote Access Trojans (RATs)

The cybersecurity landscape is experiencing a pivotal moment as a new threat emerges.

Recently, Trellix researchers have come across a sample specifically aimed at vital Ukrainian infrastructure.

This marks a significant shift in the Advanced Persistent Threat (APT) activity, as Discord has become the latest platform to be targeted.

The findings revealed that multiple malware families have started leveraging Discord, with clear patterns emerging regarding when this abuse began.

The Discord Conundrum

Discord is a web-based application that functions over HTTP/HTTPS. This very feature is what makes it enticing to malicious actors. 

It is prevalent not only in casual networks but is also extensively enabled in corporate environments. 

This blending of contexts provides a convenient camouflage, hiding their activities from security software and researchers.

Malicious software’s exploitation of Discord predominantly focuses on two techniques: downloading additional files and exfiltrating information.

One favored method is through Discord’s Content Delivery Network (CDN), allowing attackers to upload files that can be downloaded later. 

The modus operandi appears to be quite straightforward. The perpetrator fabricates a Discord account to transfer the malicious file, which they will then share discreetly through private messaging.

After uploading a file, it is not necessary for it to be made public in order for it to be accessible. The link to the file can be easily copied and used to download the “second stage” through a simple GET request.

Discord’s Webhooks: A Malicious Backdoor

Data exfiltration through Discord is accomplished using webhooks, an automation feature that allows attackers to send information and files from the victim’s machine. 

This process involves creating a webhook associated with a specific channel on a private server, making it an ideal method for extracting sensitive data.

Webhook creation on Discord
      Webhook creation on Discord (source: trellix.com)

Historically, APT groups have refrained from Discord due to the platform’s limitations. It’s a double-edged sword, as Discord can access their data and potentially close their accounts. 

However, a recent discovery of a sample targeting Ukrainian critical infrastructures suggests a possible change in this trend. 

While the sample isn’t definitively linked to a known APT group, it’s a development that raises concerns and requires ongoing investigation.

Technical Analysis and Discoveries

The technical analysis of the sample in question reveals a multi-stage attack involving PowerShell scripts and Discord’s webhooks for data exfiltration. 

The final payload aims at gathering information from the victim’s system. Interestingly, the malware families use Discord for their activities. 

Threatray’s analysis shows the prevalence of these activities starting in late 2021, with malware families downloading a variety of payloads via Discord’s CDN.

Most frequently downloaded malware families via Discord's CDN
Most frequently downloaded malware families via Discord’s CDN

Discord’s webhooks have also become popular for malware families looking to exfiltrate stolen data. 

The data researchers highlight the critical malware families exploiting this method, including Mercurial Grabber, AgentTesla, and Umbral Stealer.

The usage of Discord by APT groups is a recent development, signaling a new and complex dimension of the threat landscape. 

While APTs may employ Discord for exploration or early-stage activities, they may still rely on more secure methods for later stages.

However, general malware poses a different challenge. From trojans to ransomware, they have been using Discord’s capabilities for years, extending the range of business threats.

To ensure the proper detection of these malicious activities and safeguard systems, monitoring and controlling Discord communications have become essential, even to the extent of blocking them if necessary.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...