Cybercriminals are increasingly using the popular chat platform Discord to distribute and control malware targeting users of the service, new research by next-generation cybersecurity company Sophos has found.
According to researchers from the company, malware is increasingly targeting the Discord chat platform, and the misuse of Discord has grown substantially over the last year. The cyberthreats uncovered by the researchers include information-stealing malware, spyware, backdoors, and ransomware resurrected as "mischiefware".
The findings are based on an analysis by Sophos researchers of more than 1,800 malicious files detected on Discord's content management network (CDN). Among other things, the research reveals how the number of URLs hosting malware on the network during the second quarter of 2021 increased by 140% compared to the same period in 2020.
Sean Gallagher, senior threat researcher at Sophos said "Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram. Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering."
"We found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as 'mischiefware'. The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key," said Gallagher.
“Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic to and from Discord to see what’s going on and raise the alarm if needed."
The investigation into malicious content linked to Discord found the following:
1. The malware is often disguised as gaming-related tools and cheats. Common “cheats” seen by Sophos researchers include modifications that allow players to disable an opponent or to access premium features for free – usually for a popular online game such as Fortnite, Minecraft, and Grand Theft Auto. The researchers also found a lure that offered gamers the chance to test a game in development.
2. Information-stealers are the most prevalent threat, accounting for more than 35% of the malware seen. More than 10% of the malware Sophos detected on Discord belongs to the "Bladabindi" family of information-stealing backdoors. Sophos researchers found several password-hijacking malware, including Discord security token "loggers" built specifically to steal Discord accounts. In another instance, the researchers found a modified version of a Minecraft installer that, in addition to delivering the game, installs a "mod" called "Saint" that is in fact spyware capable of capturing keystrokes and screenshots as well as images directly from the camera on an infected device.
3. Sophos researchers also found repurposed ransomware, backdoors, Android malware packages, and more. The files included several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offering victims the chance to get a decryption key.
At a technical level, the researchers found some malware using the Application Programming Interface (APIs) of Discord "chat bots" to covertly communicate with and receive instructions from their command server. They also uncovered files that claim to install cracked versions of popular commercial software, such as Adobe Photoshop, and tools that claim to give the user access to the paid features of Discord Nitro, the service's premium edition.
Sophos recommends that organizations using Discord for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ Discord accounts and ensure that all employees have up-to-date malware protection on any computer they use to access remote communication and collaboration platforms.