Andrew Brandt, SophosLabs Principal Researcher, and Sean Gallagher, Senior Threat Researcher at Sophos, tell us that cybercriminals abuse a successful chat service to host, spread and control malware targeting their users.
Threat actors who spread and manage malware have long abused legitimate online services. As we found during our investigation into the use of TLS by malware, more than half of network traffic generated by malware uses TLS encryption and 20% of that involved the malware communicating with legitimate online services.
During the timeframe of that research, we found that 4% of the overall TLS-protected malware downloads came from one service in particular: Discord. The growing popularity of the game-centric text and voice chat platform has not failed to draw the attention of malware operators.
Discord operates its own content delivery network, or CDN, where users can upload files to share with others. The service also publishes an API, enabling developers to create new ways to interact with Discord other than through its client application. We observed significant volumes of malware hosted in Discord’s own CDN, as well as malware interacting with Discord APIs to send and receive data.
Several password-hijacking malware families specifically target Discord accounts. SophosLabs also found malware that leveraged Discord chat bot APIs for command and control, or to exfiltrate stolen information into private Discord servers or channels.
As the origins of the service were tied to online gaming, Discord’s audience includes large numbers of gamers — including players of youth-oriented titles such as Fortnite, Minecraft or Roblox. Among the malicious files we discovered in Discord’s network, we found game cheating tools that target games that integrate with Discord, in-game. The tools allegedly make it possible, exploiting weaknesses in Discord’s protocols, for one player to crash the game of another player. We also found applications that serve as nothing more than harmless, though disruptive, pranks.
But the greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs. The threat actors behind these operations employed social engineering to spread credential-stealing malware, then use the victims’ harvested Discord credentials to target additional Discord users.
We also encountered several ransomware families hosted in the Discord CDN — largely older ones, usable only to cause harm, as there’s no longer a way to pay the ransom. Files hosted on Discord also included multiple Android malware packages, ranging from spyware to fake apps that steal financial information or transactions.
Growing abuse of all kinds
Abuse of Discord, like abuse of any web-based service, is not a new phenomenon, but it is a rapidly growing one: Sophos products detected and blocked, just in the past two months, nearly 140 times the number of detections over the same period in 2020. In April, we reported over 9,500 unique URLs hosting malware on Discord’s CDN to Discord representatives.
In the second quarter, we detected 17,000 unique URLs in Discord’s CDN pointing to malware. And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways. At just prior to publication time, more than 4,700 of those URLs, pointing to a malicious Windows .exe file, remained active.
Click below to share this article