APT groups continue to use Discord to spread malware and exfiltrate data, it is being commonly used by hackers to distribute malware and as a platform to steal authentication tokens. Consequently, Discord is serving as a breeding ground for malicious activity.
Considering a recent report by Trellix, it has been revealed that Discord is now being used by APT (advanced persistent threat) hackers, too, who target critical infrastructure through the platform to steal information.
Even though cybercrime has grown in magnitude and relevance in recent years, Discord has not been able to implement effective measures. This has prevented Discord from being able to deter cybercrime, deal with the issue decisively or at least limit its potential impact. Online gaming and digital communication have become part of a household name due to Discord. This is a platform that is becoming increasingly popular among gamers, friends, and families for chatting, sharing, and collaborating.
A lot of people, including millions of people worldwide, use the Discord program as a way to communicate with one another.
Discord Viruses: What Are They?
The Discord virus is a phrase used to describe a group of malware programs which can be found in the Discord app or distributed through the Discord platform. Discord users are frequently fooled by cybercriminals by the use of various tricks so that their devices can be infected by a virus which will cause devastating effects on the users' devices.
In Discord, users will most likely find a Remote Access Trojan (RAT), which is one of the most common types of malware.
It is most commonly found that hackers spread them by sending links that contain malicious codes, and when they gain administrative rights over a user's device, they can track their activity, steal data and manipulate settings without knowledge.
In Discord, users can also find RATs, spyware, adware, and other forms of malware that can potentially be installed along with the RAT. These can also be used as part of DDoS attacks as a means to spread viruses further into a user's system.
Trellix researchers have recently discovered a new sample of malware targeted specifically at crucial Ukrainian infrastructure, which has put the cybersecurity landscape at a pivotal point. The APT activity in Discord has changed significantly in the last few months, as the latest platform to be targeted is the Advanced Persistent Threat (APT).
There are three ways in which threat actors exploit Discord: they use its content delivery network (CDN) to distribute malware, they modify the Discord client to obtain passwords, and they exploit its webhook mechanism to gain access to the victim's data.
This is made possible because Discord's CDN was commonly used to deliver malicious payloads on a victim's PC.
As these files are sent from the trusted domain 'cdn.discordapp.com', malware operators can avoid detection by anti-virus software.
The data from Trellix shows that more than 10,000 malware samples rely on Discord's CDN to load their second-stage payloads on their systems, mostly malware loaders as well as generic loader scripts.
In addition to RedLine stealer, Vidar, AgentTesla, and zgRAT, Discord's CDN also fetched several other payloads through it.
There is one method, which is popular among users, to upload files that can later be downloaded, namely Discord’s Content Delivery Network (CDN). There seems to be no complicated method to this attack.
The perpetrator fabricates a Discord account so that they can transfer a malicious file, which will then be shared discreetly through a private message. This method appears to be quite straightforward.
The goal is to make the "second stage" available for download by simply copying and pasting the file's URL into a GET request which then allows it to be downloaded using the link that was handed to the user upon uploading the file.
Identifying malware on Discord
Antiviruses should be able to detect malicious software including Discord viruses but keep an eye out for any significant changes to how the system works. For instance, pop-ups could indicate that the device has been infected with adware.
Often, system performance changes can serve as a signal that something’s up.
Whether a user's computer starts crashing more frequently, simply slows down, or the browser starts misbehaving, they should check your system for viruses.
Outgoing traffic is a little harder to notice but an unexpected increase in data usage or network activity could indicate a malware infection.
Some types of malware, such as botnets, use your device’s resources to carry out tasks like sending spam or carrying out denial-of-service (DoS) attacks.
The usage of Discord by APT groups is a recent development, signalling a new and complex dimension of the threat landscape.
While APTs may employ Discord for exploration or early-stage activities, they may still rely on more secure methods at later stages.
However, general malware poses a different challenge. From trojans to ransomware, they have been using Discord’s capabilities for years, extending the range of business threats.
To ensure the proper detection of these malicious activities and safeguard systems, monitoring and controlling Discord communications has become essential, even to the extent of blocking them if necessary.
