Tuesday, November 12, 2024
HomeCyber Security NewsThreat Actors Abuse Discord to Blend Within Organizations' Network Traffic

Threat Actors Abuse Discord to Blend Within Organizations’ Network Traffic

Published on

Malware protection

Discord has become a household name in online gaming and digital communication. 

Gamers, friends, and families flock to this platform to chat, share, and collaborate. Discord is one of the most widely used communication tools worldwide, with millions of users.

Yet, this widespread popularity has also attracted a new audience – malicious actors. The Trellix Advanced Research Center has recently unearthed a disturbing trend: cybercriminals exploit Discord, turning it into a fertile ground for their wicked activities.

- Advertisement - SIEM as a Service

In the past, we’ve witnessed malware that abused Discord’s infrastructure, mainly focusing on information theft and Remote Access Trojans (RATs)

The cybersecurity landscape is experiencing a pivotal moment as a new threat emerges.

Recently, Trellix researchers have come across a sample specifically aimed at vital Ukrainian infrastructure.

This marks a significant shift in the Advanced Persistent Threat (APT) activity, as Discord has become the latest platform to be targeted.

The findings revealed that multiple malware families have started leveraging Discord, with clear patterns emerging regarding when this abuse began.

The Discord Conundrum

Discord is a web-based application that functions over HTTP/HTTPS. This very feature is what makes it enticing to malicious actors. 

It is prevalent not only in casual networks but is also extensively enabled in corporate environments. 

This blending of contexts provides a convenient camouflage, hiding their activities from security software and researchers.

Malicious software’s exploitation of Discord predominantly focuses on two techniques: downloading additional files and exfiltrating information.

One favored method is through Discord’s Content Delivery Network (CDN), allowing attackers to upload files that can be downloaded later. 

The modus operandi appears to be quite straightforward. The perpetrator fabricates a Discord account to transfer the malicious file, which they will then share discreetly through private messaging.

After uploading a file, it is not necessary for it to be made public in order for it to be accessible. The link to the file can be easily copied and used to download the “second stage” through a simple GET request.

Discord’s Webhooks: A Malicious Backdoor

Data exfiltration through Discord is accomplished using webhooks, an automation feature that allows attackers to send information and files from the victim’s machine. 

This process involves creating a webhook associated with a specific channel on a private server, making it an ideal method for extracting sensitive data.

Webhook creation on Discord
      Webhook creation on Discord (source: trellix.com)

Historically, APT groups have refrained from Discord due to the platform’s limitations. It’s a double-edged sword, as Discord can access their data and potentially close their accounts. 

However, a recent discovery of a sample targeting Ukrainian critical infrastructures suggests a possible change in this trend. 

While the sample isn’t definitively linked to a known APT group, it’s a development that raises concerns and requires ongoing investigation.

Technical Analysis and Discoveries

The technical analysis of the sample in question reveals a multi-stage attack involving PowerShell scripts and Discord’s webhooks for data exfiltration. 

The final payload aims at gathering information from the victim’s system. Interestingly, the malware families use Discord for their activities. 

Threatray’s analysis shows the prevalence of these activities starting in late 2021, with malware families downloading a variety of payloads via Discord’s CDN.

Most frequently downloaded malware families via Discord's CDN
Most frequently downloaded malware families via Discord’s CDN

Discord’s webhooks have also become popular for malware families looking to exfiltrate stolen data. 

The data researchers highlight the critical malware families exploiting this method, including Mercurial Grabber, AgentTesla, and Umbral Stealer.

The usage of Discord by APT groups is a recent development, signaling a new and complex dimension of the threat landscape. 

While APTs may employ Discord for exploration or early-stage activities, they may still rely on more secure methods for later stages.

However, general malware poses a different challenge. From trojans to ransomware, they have been using Discord’s capabilities for years, extending the range of business threats.

To ensure the proper detection of these malicious activities and safeguard systems, monitoring and controlling Discord communications have become essential, even to the extent of blocking them if necessary.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...