Discord CDN and API Abuses Drive Wave of Malware Detections

Targets of Discord malware expand far beyond gamers.

Discord has a malware problem. And although the platform is predominantly used by gamers, it turns out even users who have never interacted with Discord are at risk.

Discord creates servers or specific groups or communities of users who can send voice, text and other media messages between one another quickly.

Researchers say there has been a massive uptick in the number of found Discord malware detections compared to last year. In a report released by Sophos, it claims incidents have jumped 140 times compared to 2020. The primary culprit in the Discord jump is its content delivery network (CDN) and application programming interface (API) – both tools cybercriminals have been abusing.

Discord’s CDN is being abused to host malware, while its API is being leveraged to exfiltrate stolen data and facilitate hacker command-and-control channels, Sophos added.

Because Discord is heavily trafficked by younger gamers playing Fortnite, Minecraft and Roblox, a lot of the malware floating around amounts to little more than pranking, such as the use of code to crash an opponent’s game, Sophos explained. But the spike in info stealers and remote access trojans is more is more alarming, it added.

Discord Credential Stealers, RATs

“But the greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs,” the report said. “The threat actors behind these operations employed social engineering to spread credential-stealing malware, then use the victims’ harvested Discord credentials to target additional Discord users.”

The team also found outdated malware including spyware and fake app info stealers being hosted on the Discord CDN.

Comparing the number of URLs hosting malware on Discord’s CDN gives an idea of the looming problem. Sophos reported detecting 9,500 malicious URLs on Discord’s CDN in April. In the following months, that number spiked to 17,000 URLs.

“And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways,” the report said. “At just prior to publication time, more than 4,700 of those URLs, pointing to a malicious Windows .exe file, remained active.”

Sophos points out Discord’s “servers” are in fact Google Cloud Elixir Erlang virtual machines with Cloudfare and they can be open to any user or, for a premium, made “private” and use keys to invite others to join. Discord’s CDN is just Google Cloud Storage, which makes the files shared accessible on the internet, the report added.

Discord Juicy Target

This elastic architecture is exactly the kind of thing cybercriminals are looking for.

“Once files are uploaded to Discord, they can persist indefinitely unless reported or deleted,” the report said.

Discord chat channels also provides an excellent delivery system for phishing messages and delivering malware links. Many lures used on Discord promise game “cheats” but instead deliver credential stealers of some variety, Sophos explained.

Discord itself has been targeted by credential stealers, according to the report.

In January Sonatype found three malicious software packages in a popular JavaScript code repository which included Discord token and credential stealers to gain access to personal information on users.

This isn’t the first time Discord has had a security issue brought to their attention. In April, Cisco’s Talos issued a report alerting users that Discord and Slack were both being increasingly abused to deliver RATs and info stealers. And in February Zscaler THreatLabZ warned about spam emails tied to the pandemic were circulating around Discord to try and trick users into downloading XMRig cryptominer malware.

By May, PandaStealer information stealing malware was making the rounds through a spam campaign on Discord.

Discord has been responsive to their findings and is actively working to improve security on the platform, Sophos researchers said. But as more organizations turn to Discord for services, Sophos warns they should be aware of the threats lurking on the platform.

“With more organizations using Discord as a low-cost collaboration platform, the potential for harm posed by the loss of Discord credentials opens up additional threat vectors to organizations,” Sophos said. “Even if you don’t have a Discord user in your home or office, abuse of Discord by malware operators poses a threat.”

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles