Threat Actors Abuse Discord to Push Malware

The platform’s Content Delivery Network and core features are being used to send malicious files—including RATs–across its network of 150 million users, putting corporate workplaces at risk.

Threat actors are abusing the core features of the popular Discord digital communication platform to persistently deliver various types of malware—in particular remote access trojans (RATs) that can take over systems–putting its 150 million users at risk, researchers have found.

RiskIQ and CheckPoint both discovered multi-functional malware being sent in messages across the platform, which allows users to organize Discord servers into topic-based channels in which they can share text, image or voice files or other executables. Those files are then stored on Discord’s Content Delivery Network (CDN) servers.

Researchers warn, “many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by actors by creating channels with the sole purpose of delivering these malicious files,” according to a report published Thursday by Team RiskIQ.

Initially Discord attracted gamers, but the platform is now being used by organizations for workplace communication. The storage of malicious files on Discord’s CDN and proliferation of malware on the platform mean that “many organizations could be allowing this bad traffic onto their network,” RiskIQ researchers wrote.

RATs and Miscellaneous Malware

Features of the latest malware found on the platform include the capability to take screenshots, download and execute additional files, and perform keylogging, CheckPoint researchers Idan Shechter and Omer Ventura disclosed in a separate report also published Thursday.

CheckPoint also found that the Discord Bot API—a simple Python implementation that eases modifications and shortens the development process of bots on the platform–“can easily turn the bot into a simple RAT” that threat actors can use “to gain full access and remote control on a user’s system.”

Discord bots are becoming an increasingly integral part of how users interact with Discord, allowing them to integrate code for enhanced features to facilitate community management, researchers said.

“Discord bots appear to be powerful, friendly and highly time-saving,” Shechter and Ventura wrote. “However, with great power also comes great responsibility, and Discord’s bot framework can be easily used for malicious intent.”

CheckPoint researchers discovered several malicious repositories among GitHub that are relevant for the Discord platform. These repositories include malware based on Discord API and malicious bots with different functionalities, they said.

Exploiting Discord Channels

Meanwhile, RiskIQ researchers examined Discord CDN URLs containing .exe, DLL and various document and compressed files, discovering upon review of the hashes on VirusTotal that more than 100 were delivering malicious content. Eighty files were from 17 malware different families, with trojans comprising the most common malware observed on the platform, researchers said.

Specifically, RiskIQ researchers took a deeper dive into how Discord CDN uses a Discord domain through links that use [hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}] as the format to discover malware, they said.

Researchers detected links and queried Discord channel IDs used in these links, which enabled them to identify domains containing web pages that link out to a Discord CDN link with a specific channel ID, they said.

“For example, the RiskIQ platform can query the channel IDs associated with zoom[-]download[.]ml,” researchers explained. “This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord’s CDN.”

In another example, RiskIQ discovered that the channel ID for a URL containing a Raccoon password stealer file returned a domain for Taplink, a site that provides users with micro landing pages to direct individuals to their Instagram and other social media pages, they explained.

“A user likely added the Discord CDN link to their Taplink page,” researchers explained. “Querying these IDs enables RiskIQ users to understand which Discord files and associated infrastructure are concerning and where they are across the web.”

The technique enabled researchers to determine the date and time Discord channels were created, linking ones created within a few days before the first observation of a file in VirusTotal to channels with the sole purpose of distributing malware, they said. Ultimately, they uncovered and cataloged 27 unique malware types hosted on Discord’s CDN.

Security Holes Persist

The latest research isn’t the first time Discord has been called out for a malware problem. In July researchers from Sophos revealed that the number of Discord malware detections rose sharply compared to last year, also observing abuse of the CDN to host malicious files. Researchers also said at the time that Discord’s API was being leveraged to exfiltrate stolen data and facilitate hacker command-and-control channels.

The findings unsurprisingly raised an alarm among security experts, who said they demonstrate numerous holes with platforms that people widely use to communicate and share files that rely on the use of encrypted traffic for security.

However, as has been observed many times before, encrypting traffic on APIs alone is not sufficient to keep malware off a content delivery network, noted one security professional.

“API abuse is best defended by ensuring that only genuine software clients can use the API, thus preventing malicious scripts and malware doing damage to the platform, David Stewart, CEO of security firm Approov, said in an email to Threatpost.

The discovery also highlights a key problem in the development of communication platforms—the emphasis on functionality rather than security, said another security professional.

“This is an example of an exploitation that probably could have been addressed with a better software design,” Saryu Nayyar, CEO of security firm Gurucul, said in an email to Threatpost.

That said, Discord’s developers need to think about adding a way to collect and analyze data in real time from the platform to discover and quickly remediate unusual activity, she said.

“Absent a redesign of the Discord software, this is the only realistic way of detecting malware is to look for activities that are out of the ordinary,” Nayyar observed.

Suggested articles