Cybercriminals are using Discord, a popular VoIP, instant chat, and digital distribution network used by 140 million users in 2021, to disseminate malware files. 

Discord servers can be organised into topic-based channels where users can share text or audio files. Within the text-based channels, they can attach any form of material, including photos, document files, and executables. These files are maintained on the Content Delivery Network (CDN) servers of Discord. 

However, many files transferred over the Discord network are malicious, indicating that actors are abusing the site's self-hosted CDN by forming channels with the sole aim of distributing these harmful files. Although Discord was designed for the gaming community initially, many corporations are now adopting it for office communication. Many businesses may be permitting this unwanted traffic onto their network as a result of these malicious code files placed on Discord's CDN. 

RiskIQ researchers looked deeper into how Discord CDN utilises a Discord domain through links that use [hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}] as the format to discover malware. 

According to the researchers, they spotted links and queried Discord channel IDs used in these links, enabling them to identify domains comprising web pages that connect to a Discord CDN link with a certain channel ID. 

“For example, the RiskIQ platform can query the channel IDs associated with zoom[-]download[.]ml,” researchers explained. “This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord’s CDN.” 

In another case, RiskIQ determined that the channel ID for a URL containing a Raccoon password stealer file returned a domain for Taplink, a  site that offers users micro landing pages to send them to their Instagram and other social media accounts. 

According to the researchers, the approach allowed them to discover the day and time Discord channels were launched, connecting those generated within a few days after the first observation of a file in VirusTotal to channels with the sole purpose of disseminating malware. They eventually discovered and cataloged 27 distinct malware types hosted on Discord's CDN. 

Discord CDN URLs containing.exe, DLL, and different document and compressed files were detected by RiskIQ. It was discovered that more than 100 of the hashes on VirusTotal were transmitting malicious information. 

RiskIQ discovered more than eighty files from seventeen malware families, however, Trojans were the most frequent malware found on Discord's CDN. For most malware found on Discord's CDN, RiskIQ noticed a single file per channel ID. 

According to Microsoft's identification of the files and further research, there are a total of 27 distinct malware families, divided into four types: 

• Backdoors, e.g., AsyncRat 

• Password Stealers, e.g., DarkStealer 

• Spyware, e.g., Raccoon Stealer 

• Trojans, e.g., AgentTesla 

The exploitation of Discord's infrastructure throws light on the rising problem of CDN abuse by malicious attackers across the web. Using internet-wide visibility to identify malware in CDN infrastructure is significant to limiting the damage these valuable malware delivery techniques might have on the firm.