Discord under siege: chat service used to host, spread, and control malware
Abuse for Discord has massively increased in popularity since last year, Sophos researchers claim. The chat platform is used to host, spread, and control malware.
It is no wonder that popular social networks immediately find themselves in great demand by cybercriminals, too. For example, encrypted chat apps, such as Telegram, Signal, and Whatsapp, have been instrumental in dismantling authoritarian regimes and organizing uprisings. However, because of their private nature, cybercriminals exploit them to sell illegal goods.
Discord’s story is somewhat similar. Being an open and convenient space for like-minded people, especially gamers, also serves as a petri dish to grow and foster malware.
Sophos products detected and blocked nearly 140 times more URLs hosting malware on Discord in the past two months, compared with the same period in 2020. Discord hosts 4% of all TLS-protected malware downloads detected by Sophos.
“Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram. Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering,” Sean Gallagher, a senior threat researcher at Sophos, said.
Researchers found malware that can steal private images from the camera on an infected device and ransomware from 2006 that the attackers have resurrected to use as mischiefware. The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key.
The Sophos investigation team looked into the malicious contents linked to Discord and found the following.
1. The malware is often disguised as gaming-related tools and cheats. Common cheats include modifications that allow players to disable an opponent or access premium features for free – usually for popular online games such as Minecraft, Fortnite, Roblox, and Grand Theft Auto. The researchers also found a lure that offered gamers the chance to test a game in development.
2. Information-stealers are the most prevalent threat, accounting for more than 35% of the malware seen. More than 10% of the malware belongs to the Bladabindi family of information-stealing backdoors. Sophos researchers found several password-hijacking malware, including Discord security token loggers built specifically to steal Discord accounts.
In another instance, the researchers found a modified version of a Minecraft installer that, in addition to delivering the game, installs a mod called “Saint.” Saint is, in fact, spyware, capable of capturing keystrokes and screenshots as well as images directly from the camera on an infected device.
3. Researchers also found repurposed ransomware, backdoors, Android malware packages, and more. The analyzed files included several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offer victims the chance to get a decryption key.
“Adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed,” Gallagher said.
He recommended Discord users not just leave it to the platform to identify and remove suspicious links but be vigilant to the threat of malicious content instead.
“In addition, IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere,” Gallagher concluded.
More great CyberNews stories:
Subscribe to our newsletter