A rise in online gaming, tied to pandemic-mandated social distancing, has led to a spike in criminals targeting the demographic. The latest effort to exploit the trend is malicious files planted inside the Discord platform designed to trick users into downloading malware-laced files.
Researchers report multiple active campaigns targeting the Discord “cdn[.]discordapp[.]com” service designed to trigger an infection chain and serve-up the Epsilon ransomware, the data-stealer Trojans and the XMRrig cryptominer, according to a report by Zscaler ThreatLabZ. Attackers also are using the service for command-and-control (C2) communication, researchers observed.
Discord group-chatting platform originally built for gamers and has evolved to become a virtual watering hole for socializing. The app is used by gamers and alike for creating communities on the web, called “servers,” either as standalone forums or as part of another website. Discord supports voice, video, or text – allowing all to interact within created communities.
COVID-19 Safe, But Malware Laced Environment
Discord–like myriad other chat and online communication platforms–has seen an uptick in use. This has put a bullseye on Discord and other virtualized communities by hackers who see them as ripe targets for abuse.
“During 2020, research showed a sharp increase in game downloads, and this activity did not go unnoticed by cybercriminals,” according to the ThreatLabZ. “Attackers have often exploited the popularity of certain games (Among Us was a recent example) to lure players into downloading fake versions that served malware.”
While planting malware in Discord is not a new activity, researchers discovered a number of novel campaigns using various known malware to lure gamers from within the platform.
Malware Cornucopia
Malware found being planted recently in Discord includes not only Epsilon ransomware, but also the XMRig miner and three types of stealers—Redline Stealer, TroubleGrabber and a broad category of unidentified Discord token grabbers, according to ThreatLabZ.
The new Discord attacks observed by researchers usually start with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. The attack vector uses Discord services to form a URL to host a malicious payload as https://cdn[.]discordapp[.]com/attachments/ChannelID/AttachmentID/filename[.]exe
The campaigns rename malicious files as pirated software or gaming software as well as use file icons related to gaming to trick victims, according to the report.
Researchers investigated the attack vectors of the different types of malware detected in the latest Discord campaigns, which each have their own methods.
Key Findings
- Multiple campaigns relying on the cdn[.]discordapp[.]com service for their infection chain.
- Cybercriminals are using Discord CDN to host malicious files as well as for command-and-control communication.
- Malicious files are renamed as pirated software or gaming software to trick gamers.
- File icons are also related to gaming software to trick gamers.
- Multiple categories of malware are being served through the Discord app’s CDN infrastructure – ransomware, stealers, and cryptominers.
Different Malware Strokes, For Different Folks
In the case of the Epsilon ransomware, execution starts with dropping an .inf file and .exe file in the Windows/Temp folder of the user’s machine. The malware establishes persistence by creating a registry key on the victim’s machine and then enumerating through the the system drives to encrypt the files using double encryption–including a randomly generated 32-bit key and custom RC4 encryption that has a 2048-bit variable-length key.
Once encryption is established, the attack downloads the ransom note image from the cdn.discordapp.com link to show on the victim’s machine, researchers noted. However, unlike the stealers and cryptominer observed in the new campaigns, Epsilon does not use Discord to initiate C2 communication.
The Redline stealer–a new-ish Russian malware that’s been available on underground forums since last year—starts its attack by dropping a copy of itself into the AppData/Roaming folder of a victim’s machine. The stealer makes use of several popular gaming app names to perform its activities, which include collecting login and passwords, cookies, autocomplete fields and credit cards, as well as stealing data from FTP and IM clients, researchers said.
The XMRig miner initiates its attack by dropping a copy of itself at %ProgramData%\RealtekHDUpdater\realtekdrv[.]exe. and then changes the system’s file permissions without user consent as well as connects to the C2 server with various commands.
What Threat Actors are After
After trying to delete a slew of programs on the victim’s machine—including Process Hacker, Task Manager, Windows, Windows Task Manager, AnVir Task Manager, Taskmgr[.]exe and NVIDIA GeForce—the miner launches using the Monero address “4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQswVtyKcWBsLoeY6A2.”
The other grabbers observed by researchers use Discord tokens to steal user information, a type of malicious activity that researchers at Sonatype also observed targeting Discord last month using the CursedGrabber malware.
Discord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.
Researchers observed the TroubleGrabber performing token stealing in the latest campaigns as well as other various unidentified grabbers engaging in similar activity, they said.
Threatpost WEBINAR: Is your small- to medium-sized business an easy mark for attackers? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.
