Search This Blog

Showing posts with label Discord. Show all posts

How LofyGang Is Using Discord In A Massive Credential Stealing Attack


Checkmarx researchers have mapped out a complex web of criminal activity that all points back to a threat actor known as LofyGang. This group of cybercriminals provides free hacking tools, Discord-related npm packages, and other services to other nefarious actors and Discord users. These tools, packages, and services, however, come with a hidden cost: the theft of users' accounts and credit card credentials. 

The researchers discovered at least 200 malicious npm packages uploaded to the official npm website by various LofyGang sock puppet accounts. These npm packages look like genuine packages that enable users to interact with the Discord API. LofyGang dupes users into installing malicious packages instead of legitimate ones by uploading multiple versions of its packages with different misspellings of popular packages.

In order to give their malicious packages credibility on the npm website, the group also ties their npm packages to active and reputable GitHub repositories. An unsuspecting user who enters a typo while searching for a legitimate package may come across a listing for one of these malicious packages, fail to notice the misspelling, and install the package.

Unfortunately for those who install malicious npm packages, the packages are designed to steal users' account and credit card information. However, rather than containing malicious code directly, these packages rely on secondary packages that contain malicious code. Because malware is hidden in dependencies, the original malicious packages are less likely to be reported as malicious and removed from the npm website.

If one of the malicious dependencies is reported and removed, the threat actor can simply upload a new malicious dependency and push an update to the user's original npm package, instructing it to rely on this new malicious dependency.

LofyGang distributes malicious hacking tools on GitHub in addition to malicious npm packages. The hacking tools, like the npm packages, are usually Discord-related. These programmes also contain malicious dependencies that steal account and credit card information. LofyGang promotes these tools on a variety of platforms, including YouTube, where the group posts tool tutorials.

The LofyGang's Discord server, which has been operational since October 2021, is another avenue for promoting the group's malicious hacking tools. Users can join this Discord server to get assistance with the tools. The server also includes a Discord bot that can grant users a free Discord Nitro subscription using stolen credit card information. 

However, in order to use the bot, users must provide their Discord account credentials, which LofyGang is likely to add to the growing list of credentials stolen by its malicious packages and tools. At the end of the day, Checkmarx's report shows that anyone using LofyGang's packages, tools, and services, whether they realise it or not, is handing over their account and credit card credentials.

Hackers Make Fake Cthulhu Website to Distribute Malware

Fake Cthulhu website spreads malware 

Threat actors have made a fake 'Cthulhu World ' play-to-earn community, this includes websites, social accounts, a medium developer site, and Discord groups to spread the Raccoon stealer, AsyncRAT, and Redline password stealing malware on innocent targets.

As play-to-earn communities have risen in popularity, threat actors and scammers constantly attack these new platforms for suspicious activities. 

The same applies to a new malware distribution campaign found by cybersecurity expert "iamdeadlyz", where hackers made an entire project to advertise a fake play-to-earn game known as Cthulhu World.

Hackers promote the fake project 

To publicize the 'project,' hackers send direct messages to users on Twitter asking if they wish to perform a test of their new game. In return of testing and promoting the game, the hackers promise of rewarding in Ethereum. 

When a user visits site (currently down), users are welcomed with a well designed website, it includes information about the project and an interactive map of the game's environment.

But, it is a fake site which is a copy of the original Alchemic World Project, which has warned its users to stay aware of the fake project. Someone made a fake account for our project, and copied the website, and all social media.

Experts say to "stay away"

"STAY AWAY this account and don't follow them. All their assets were stolen from our project," Tweeted Alchemic World. 

The Cthulhu World website is also different in some ways, for instance, when a user clicks the upper right-hand corner arrow on the website, the site brings them to a webpage requesting a "code" to download the "alpha" test of the project.

The hackers then distribute these codes to potential victims as a part of their DM conversations on Twitter. The access code list can be found on the site's source code. 

3 downloaded files contain the malware 

On the basis of the code entered, one of the three files is downloaded from the DropBox. All of these three files will install different malware, which allows the threat actor to pick and choose how they want to attack a particular victim. 

The three malware found by AnyRun installs are Raccoon Stealer, AsyncRAT, and RedLine Stealer.

"As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to find that some victims have already had their wallets cleaned out by this scam," says Bleeping Computer.

The Cthulhu World Website is currently shut down, but their Discord is up and running. It isn't clear if users on this Discord are aware that a website is sharing malware, however, few users have full faith that it is a genuine project.

How to protect yourself?

If you visited and installed any of their softwares, the user should immediately remove any items found and run an antivirus scan on the system right away.

You should also note that these malware infections can steal your cookies, crypto wallets, and saved passwords, you should reset all passwords and make a new wallet to import all the cryptocurrency.

The best way to protect yourself is to reinstall your system from scratch, as these malware infections give full access to an infected computer, and other suspicious malware can be installed.

Malicious PyPI Packages Surface, Attack Discord and Roblox

About PyPI Packages

10 malicious software packages were found in the Python Package Index (PyPI) repository, a week later, many others have come to surface, found by different firms. 

It has become a kind of whack-a-mole drill, taking out malicious codes only to find more taking its place. In the disclosure of last week, Check Point researchers discovered Trojanized packages imitating authentic components, it contained droppers for data stealing malware. 

This compelled Kaspersky researchers to further investigate the open source repository, which resulted in finding two more rogue offerings, known as "pyrequests" and "ultrarequests," that turned out to be one of the most famous popular packages in PyPI (simply known as "requests"). 

How did the attack happen?

Checkpoint says "Pypi has over 612,240 active users, working on 391,325 projects, with 3,664,724 releases.What many users are not aware is the fact that this one liner simple command can put them at an elevated risk. The pip install command triggers a package installation which can include a script."

The threat actor used a description of authentic "requests" package to fool victims into downloading harmful ones. The description includes false faked stats, saying the package was installed more than 230 million times in a month, having more than 48,000 stars on GitHub. 

The project description also hints towards web pages of legitimate requests package, along with the author's email. All mentions of orginal requests package have been interchanged with the names of malicious ones. 

Attackers target Discord and Roblox

When installed, it results in a W4SP Stealer infection, via which actors can extract Discord tokens, passwords, and saved cookies from browsers in seperate threads. 

Whereas, experts at Snyk earlier this week released findings about around 12 malicious PyPI packages that steal Discord and Roblox users' login credentials and payment details. Kyle Suero, Snyk's leading researcher, the malware also tries to steal Google Chrome data or pilfer passwords and bookmarks from Windows systems, pivoting through all the accounts. 

"Another interesting thing about this malware is that it is actually using Discord resources to distribute executables. Although this practice is not new, seeing tipped off our security researchers. The binaries are pulled down to the host via the Discord CDN," says Snyk.

The malicious packages have been wiped out from PyPI, but they don't have any idea about the number of times they were downloaded prior to that. Code repository attacks keep rising, as per ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase. 

"If we keep ignoring the core problem, that is trusting the code, we can't handle software supply chain security," says Tomislav Peričin, co-founder and chief software architect at ReversingLabs in the report. 

Data Spyware Delivered via Telegram & Discord Bots

Hackers have utilized these messaging apps in a variety of ways to transmit their own malware, according to Intel 471's research. They have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with data theft in order to be able to steal credentials or other information from unwary users.

According to a recent study from Intel 471, threat actors are using the multifaceted nature of messaging apps — in particular, their content-creation and program-sharing components — as a basis for information stealing.

Tactics & Techniques

Researchers at Intel 471 have found a number of data thefts that are openly accessible and depend on Telegram or Discord to operate.

Additionally, these hackers conduct similar attacks against the Roblox and Minecraft gaming sites. Discord's content delivery network (CDN) is regularly used to store malware, as per researchers, because the platform doesn't place limitations on file storage.

One Telegram-focused botnet, dubbed X-Files, includes features that may be accessible through Telegram's bot commands. Once the malware has been installed on a victim's computer, criminal actors can take credit card information, login credentials, session cookies, and passwords, and send them to a Telegram channel of their choice. 

Several browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files. Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.

The following malware families have been seen hosting harmful payloads on Discord CDN: PrivateLoader,  Discoloader, Colibri, Warszone RAT, Modi loader, Raccoon thief, Smokeloader Amadey,  Tesla agent thief, GuLoader, Autohotkey, and njRAT.


The entry threat for malicious actors is reduced by automation in well-known chat platforms. Data theft might be the initial step in initiating a targeted attack against an enterprise, even though they can not alone cause as much harm as malware like a data wiper or ransomware.

Although messaging services like Discord and Telegram are not often utilized for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.

Discord Users Targeted by Malicious Npm Packages


Kaspersky researchers have unearthed yet another supply chain attack campaign employing multiple malicious npm packages, this time targeting Discord users to steal their payment card information. 

The malware employed in these attacks is a modified version of an open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer. 

“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines and the victim’s IP address and upload them via HTTP,” reads the analysis published by Igor Kuznetsov and Leonid Bezvershenko. 

The malware monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information. 

Subsequently, the harvested data is uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co). 

“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions, researchers added. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded,” the analysis further read.

Kaspersky states that they are constantly monitoring the updates to repositories to rapidly scan and remove all new malicious packages. 

According to researchers, this is a repetitive process among malicious npm packages, and it's just one of the seemingly endless streams of malware specifically designed to target Discord users in recent years with info stealers. 

For example, in 2019, malware dubbed Spidey Bot was employed to alter the Windows Discord user to backdoor it and deploy an information-stealing trojan. Last year, malicious npm and PyPI libraries were also employed to target Discord users, steal their user tokens and browser information, and deploy MBRLocker data wiping malware called Monster Ransomware. 

Earlier this year, JFrog researchers uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults.

Alert! Teen Hackers are Using Discord to Disseminate Malware


Avast security researchers found a Discord channel where a group of teenagers is developing, updating, promoting, and selling malware and ransomware outbreaks, allegedly to make pocket money. 

The researchers assume they are all minors since they referenced their parents and instructors frequently and casually used age-specific slurs. Researchers discovered their actions via their Discord chat. The hackers sell malware variants of Snatch, Lunar, and Rift and provide a variety of services ranging from data theft to ransomware and crypto mining. 

However, researchers discovered that teen hackers mostly give easy-to-use malware builders and toolkits, allowing users to utilise them without real programming by using the "Do it yourself" (DIY) technique. 

How does the Group function? 

To become a group member or utilise the malware-as-a-service capability, interested parties must pay a charge. The registration price ranges from €5 to €25. Avast researchers observed in their analysis that about 100 accounts have already enrolled to get access to a hacking group. The malware dissemination method is a little unusual. 

The hackers posted a YouTube video displaying a bogus crack for a popular computer game or commercial software, along with a download link in the description. To establish credibility, additional users of the Discord group leave comments on the video, thanking the originator and confirming that the connection works. This method is even more twisted than bots for commenting since it becomes hard to recognise. 

How Should One Handle Teen Hackers? 

This scenario is undoubtedly troubling. As a result, hacking ability among teenagers and minors must be channelled towards beneficial, ethical endeavours for the general benefit of the cybersecurity sector. 

Parents must communicate to their children to understand the motivational elements that drive them to distribute malware. There are several tools accessible on Discord and other platforms to assist anyone interested in pursuing a career in the cybersecurity field. 

The first step, though, is for parents to interact with their children without passing judgement. It is worth emphasising that the organisation distributes unlawful malware without comprehending the gravity of the situation and dismissing it as a prank.

NFTs Worth 200 Ether Were Stolen From the Bored Ape Yacht Club 


Yuga Lab's Bored Ape Yacht Club or Otherside Metaverse Discord services were hacked to publish a phishing scheme, hackers allegedly took approximately $257,000 in Ethereum and 32 NFTs. A Yuga Labs community manager's Discord account was allegedly hacked on June 4 and used to spread a phishing scam on the firm's Discord servers. 

According to Coindesk, the attacker hacked Boris Vagner's Discord account, put many phishing links on the account, its related metaverse account 'Otherside,' and the NFT fantasy football team Spoiled Banana Society's (SPS) Discord account. As of 8.50 a.m., the worldwide crypto market capitalization had increased by 3.43 percent to $1.27 trillion. According to Coinmarketcap data, worldwide crypto volume increased by 18.04 percent to $51.24 billion. 

The phishing communications, which claimed to be from Vagner, advertised an exclusive prize and stated that only BAYC, Mutant Ape Yacht Club, and Otherside NFTS holders were eligible. The owners were then directed to a phishing site, where they were requested to input the login information. The attackers then took all Ethereum and NFTS contained in the account's associated wallet after receiving the login credentials. Yuga Labs finally regained login to the Discord server, but not before significant harm had been done. 

The seized NFTS were worth roughly 200 ETH ($361,000) according to BAYC's official Twitter account. The perpetrators made off with 145 Ethereum and 32 NFTS, valued at a total of $250,000.

Approximately 32 NFTs were taken, according to blockchain cybersecurity firm PeckShield, including the Bored Ape Yacht Club, Otherdeed, Bored App Kennel Club, and Mutant Ape Yacht Club projects. 

As per the reports, it is unknown how the forum manager's account was hacked or whether two-factor authentication was turned on, which generally protects against such assaults.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 


Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

OpenSea Warns of Discord Channel Hack


The nonfungible token (NFT) marketplace OpenSea had a server breach on its primary Discord channel, with hackers posting phoney "Youtube partnership" announcements. A screenshot shared on Friday reveals a phishing site linked to fraudulent collaboration news. 

The marketplace's Discord server was hacked Friday morning, according to OpenSea Support's official Twitter account, which urged users not to click links in the channel. OpenSea has "partnered with YouTube to bring their community into the NFT Space," according to the hacker's original post on the announcements channel. 

It also stated that they will collaborate with OpenSea to create a mint pass that would allow holders to mint their project for free. The attacker appeared to have been able to stay on the server for a long time before OpenSea staff was able to recover control. The hacker uploaded follow-ups to the initial totally bogus statement, reiterating the phoney link and saying that 70% of the supply had already been coined, in an attempt to generate "fear of missing out" in the victims. 

The scammer also tried to persuade OpenSea users by claiming that anyone who claimed the NFTs would receive "insane utilities" from YouTube. They state that this offer is one-of-a-kind and that there would be no other rounds to engage in, which is typical of scammers. As of this writing, on-chain data indicates that 13 wallets have been infiltrated, with the most valued stolen NFT being a Founders' Pass worth about 3.33 ETH ($8,982.58). 

According to initial reports, the hacker used webhooks to get access to server controls. A webhook is a server plugin that lets other software get real-time data. Hackers are increasingly using webhooks as an attack vector since they allow them to send messages from official server accounts. The OpenSea Discord server isn't the only one that uses webhooks. 

In early April, a similar flaw enabled the hacker to utilise official server identities to post phishing links on several popular NFT collections' channels, including Bored Ape Yacht Club, Doodles, and KaijuKings.

Bored Ape & Other Major NFT Project Discords Hacked by Fraudsters


The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs. 

In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords. 

“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.

“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.” 

The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token. 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. 

“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.” 

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said. 

On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens. 

This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself. 

Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.

11 Malicious Python Packages Uncovered by Researchers


Researchers have found 11 malicious Python packages which have been installed more than 41,000 times from the Python Package Index (PyPI) repository that might be used to obtain Discord access tokens, passwords, and even stage dependency misunderstanding attacks. 

These Python packages have now been withdrawn from the repository as a result of JFrog's responsible disclosure —
  • important package / important-package 
  • pptest 
  • ipboards 
  • owlmoon 
  • DiscordSafety 
  • \trrfab 
  • 10Cent10 / 10Cent11 
  • yandex-yt 
  • yiffparty 

Two of the programs ("importantpackage," "10Cent10," and their variants) were discovered to gain a reverse shell upon that compromised system, granting the attacker total control over an affected system. Using a technique known as dependency confusion or namespace confusion, two additional packages, "ipboards" as well as "trrfab" masqueraded as valid dependencies intended to be immediately imported. 

Apart from typosquatting attacks, in which a threat actor purposefully discloses packages with misspelled names of popular variants, dependency confusion works by posting poisoned elements with the same names as valid internal private packages, although with a higher version as well as posted online to public repositories, basically forcing the target's package manager to download and install the nefarious module. 

The dependency "importantpackage" is particularly notable for its new network-based detection technique, which involves exploiting Fastly's the content delivery network (CDN) to disguise connections with the attacker-controlled server as interactions with pypi[.]org. 

The malicious code "causes an HTTPS request to be sent to pypi.python[.]org (which is indistinguishable from a legitimate request to PyPI), which later gets rerouted by the CDN as an HTTP request to the [command-and-control] server," JFrog researchers Andrey Polkovnychenko and Shachar Menashe noted. 

Eventually, both "ipboards" and a fifth package known as "pptest" were revealed to use DNS tunneling as a data exfiltration technique, depending on DNS requests as a means of communicating between both the victim PC and the remote server. According to JFrog, this is the first time the approach has been discovered in malware posted to PyPI. 

Targeting prominent code registries such as Node Package Manager (NPM) JavaScript registry, PyPI, and RubyGems has become routine, opening up a new arena for a variety of assaults. 

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and […] attackers are getting more sophisticated in their approach," said Menashe, JFrog's senior director of research. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling signal a disturbing trend that attackers are becoming stealthier in their attacks on open-source software."

Threat Actors Abuse Discord to Push Malware


Cybercriminals are using Discord, a popular VoIP, instant chat, and digital distribution network used by 140 million users in 2021, to disseminate malware files. 

Discord servers can be organised into topic-based channels where users can share text or audio files. Within the text-based channels, they can attach any form of material, including photos, document files, and executables. These files are maintained on the Content Delivery Network (CDN) servers of Discord. 

However, many files transferred over the Discord network are malicious, indicating that actors are abusing the site's self-hosted CDN by forming channels with the sole aim of distributing these harmful files. Although Discord was designed for the gaming community initially, many corporations are now adopting it for office communication. Many businesses may be permitting this unwanted traffic onto their network as a result of these malicious code files placed on Discord's CDN. 

Exploiting Discord channels 

RiskIQ researchers looked deeper into how Discord CDN utilises a Discord domain through links that use [hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}] as the format to discover malware. 

According to the researchers, they spotted links and queried Discord channel IDs used in these links, enabling them to identify domains comprising web pages that connect to a Discord CDN link with a certain channel ID. 

“For example, the RiskIQ platform can query the channel IDs associated with zoom[-]download[.]ml,” researchers explained. “This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord’s CDN.” 

In another case, RiskIQ determined that the channel ID for a URL containing a Raccoon password stealer file returned a domain for Taplink, a  site that offers users micro landing pages to send them to their Instagram and other social media accounts. 

According to the researchers, the approach allowed them to discover the day and time Discord channels were launched, connecting those generated within a few days after the first observation of a file in VirusTotal to channels with the sole purpose of disseminating malware. They eventually discovered and cataloged 27 distinct malware types hosted on Discord's CDN. 

About the malware 

Discord CDN URLs containing.exe, DLL, and different document and compressed files were detected by RiskIQ. It was discovered that more than 100 of the hashes on VirusTotal were transmitting malicious information. 

RiskIQ discovered more than eighty files from seventeen malware families, however, Trojans were the most frequent malware found on Discord's CDN. For most malware found on Discord's CDN, RiskIQ noticed a single file per channel ID. 

According to Microsoft's identification of the files and further research, there are a total of 27 distinct malware families, divided into four types: 
• Backdoors, e.g., AsyncRat 
• Password Stealers, e.g., DarkStealer 
• Spyware, e.g., Raccoon Stealer 
• Trojans, e.g., AgentTesla 

The exploitation of Discord's infrastructure throws light on the rising problem of CDN abuse by malicious attackers across the web. Using internet-wide visibility to identify malware in CDN infrastructure is significant to limiting the damage these valuable malware delivery techniques might have on the firm.

Scammers Steal Victims Cryptowallets And NFTs, Posing as OpenSea Agents


The latest, quite significant, and severe Discord phishing attack intended at stealing cryptocurrency funds and NFTs have badly attacked OpenSea users. Cybercriminals have been sneaking on OpenSea's Discord server for the past week, masquerading as authorized support representatives for the website. These bogus employees provide confidential support to an OpenSea user in need, resulting in the loss of cryptocurrency and NFT collectibles managed in the victim's MetaMask wallets. 

OpenSea is the world's largest NFT marketplace, with a 542 percent rise in volume over the last month, accounting for over half of the company's entire lifetime transaction volume of $2.423 billion. 

OpenSea is indeed a peer-to-peer marketplace for crypto collectibles and non-fungible tokens. It encompasses collectibles, gaming items, and other virtual products secured by a blockchain. A smart contract on OpenSea allows anybody to buy or sell these products. This instance was a scenario where the fraudsters took advantage of the working of the site. 

Whenever an OpenSea user requires assistance, they could contact the site's help center or the site's Discord server. Later when the user joins the Discord server and publishes a help request, fraudsters lurking on the server immediately start sending the user personal messages. These messages include an invitation to an OpenSea Support server to receive further assistance. 

Jeff Nicholas, an artist who was a victim of this fraud, informed Bleeping Computer that after joining the bogus OpenSea support server, the scammers urged him to open the tab on screen sharing so that they could offer assistance and guidance in resolving the issue. 

“Lots of grooming, processing through the issue pulling you in. Then ask you to screen share so they can see what you are seeing”, Nicholas told. 

“Say you require to resync you MM and at this point your sort of stuck into fixing this thing whatever it is. Pull up QR code and it immediately says “synced” (because they scanned it). So then they have your seed phrase (without actually having it),” he explained.  

It is possible to sync the mobile MetaMask wallet with the Chrome extension by going to 'Settings', clicking on 'Advanced', and thereafter tapping 'Sync with mobile'. On this screen, users would be required to enter the password and then a QR code would be generated. 

The Mobile MetaMask Software automatically scans this QR Code to synchronize and import the user's Chrome wallet, immediately. Nevertheless, any user who encounters this QR code along with the bogus support representatives, can take a screenshot and use that snapshot to synchronize the wallet into their smartphone apps. 

Whenever the bogus support agents scan the QR code on their smartphone app, they gain complete access to the cryptocurrency and any NFT collectibles stored within it. The victims are then transported to the threat actors' wallets. 

To avoid having the wallets swiped by these types of frauds, one must never disclose their wallet's recovery keys, password phrases, or QR codes used for synchronizing. 

“Saddened to listen an OpenSea user was the victim of a significant phishing attack last night,” read a tweet by OpenSea’s Head of Product Nate Chastain. “The scammer masquerades as an OpenSea employee and has the user scan a QR code granting wallet access. Please be attentive and direct support requests through our Help Center/ZenDesk.”

Discord CDN and API Exploits Drive Wave of Malware Detections


As per the researchers, the number of reported Discord malware detections has increased significantly since last year. Even users who have never interacted with Discord are at risk, even though the network is mostly utilized by gamers as Discord has a malware problem.

Discord develops servers, or unique groups or communities of people, who can communicate instantly via voice, text, and other media. 

According to research issued by Sophos, occurrences have increased 140 times since 2020. The major cause of the Discord spike is its content delivery network (CDN) and application programming interface (API), both of which have been exploited by cybercriminals. 

The CDN of Discord is being exploited to host malware, while its API is being utilized to exfiltrate stolen data and allow hacker command-and-control channels. 

Since Discord is extensively used by younger gamers who play Fortnite, Minecraft, and Roblox, most of the virus floating around involves pranking, such as using code to crash an opponent's game, as per Sophos. However, the increase in data thieves and remote access trojans is more concerning, according to the report. 

“But the greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs. The threat actors behind these operations employed social engineering to spread credential-stealing malware, then use the victims’ harvested Discord credentials to target additional Discord users,” the report added. “And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways. At just before publication time, more than 4,700 of those URLs, pointing to a malicious Windows .exe file, remained active.” 

In April, Sophos discovered 9,500 malicious URLs on Discord's CDN. After a few months, the number had risen to 17,000 URLs. Sophos pointed out that Discord's "servers" are actually Google Cloud Elixir Erlang virtual machines with Cloudfare, and that they can be made "public" or "private" for a subscription, with keys to invite others to attend. 

According to the report, Discord's CDN is just Google Cloud Storage, which makes the information exchanged available on the internet. 

Discord: Easy Target
According to the report, “once files are uploaded to Discord, they can persist indefinitely unless reported or deleted.” 

Phishing messages and virus URLs may also be sent using Discord chat channels. Many Discord scams promise game "cheats," but instead send credential stealers of various kinds, as per Sophos. 

Sonatype discovered three malicious software packages in a prominent JavaScript code repository in January, including Discord token and credential stealers that allowed hackers to steal users' personal details. This isn't the first time a security concern has been brought to Discord's notice. Cisco's Talos released a report in April warning users that Discord and Slack were being frequently utilized to deploy RATs and data stealers. 

In February, Zscaler THreatLabZ reported that spam emails linked to the pandemic were spreading on Discord in an attempt to get users to download the XMRig cryptominer virus. PandaStealer, a data-stealing virus, was spreading through a spam operation on Discord by May. 

According to Sophos experts, Discord has responded positively to their findings and is actively trying to improve safety on the platform. However, as more businesses use Discord to provide services, Sophos advises that they should be mindful of the dangers that lie on the site. 

Sophos added, “With more organizations using Discord as a low-cost collaboration platform, the potential for harm posed by the loss of Discord credentials opens up additional threat vectors to organizations. Even if you don’t have a Discord user in your home or office, abuse of Discord by malware operators poses a threat.” On the Discord CDN, the team discovered old malware such as spyware and phoney app info stealers.

Attackers Pummelled the Gaming Industry During the Pandemic


According to Akamai, a content delivery network (CDN), the gaming business has seen more cyberattacks than any other industry during the COVID-19 pandemic. Between 2019 and 2020, web application attacks against gaming organizations increased by 340 %, and by as high as 415 % between 2018 and 2020. “In 2020, Akamai tracked 246,064,297 web application attacks in the gaming industry, representing about 4% of the 6.3 billion attacks we tracked globally,” reads Akamai’s Gaming in a Pandemic report. 

Cybercriminals frequently used Discord to coordinate their operations and discuss best practices on various techniques such as SQL Injection (SQLi), Local File Inclusion (LFI), and Cross-Site Scripting (XSS), according to the company. SQLi assaults were the most common, accounting for 59% of all attacks, followed by LFI attacks, which accounted for nearly a quarter of all attacks, and XSS attacks, which accounted for only 8%. 

“Criminals are relentless, and we have the data to show it,” Steve Ragan, Akamai security researcher and author of the report, was quoted as saying in a press release. “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.” 

Credential-stuffing attacks increased by 224% in 2019 compared to the previous year. Surprisingly, distributed denial-of-service (DDoS) attacks decreased by approximately 20% within the same period. Each day, millions of these attacks target the industry, with a peak of 76 million attacks in April, 101 million in October, and 157 million in December 2020, according to Akamai. 

Credential stuffing is a type of automated account takeover attack in which threat actors utilize bots to bombard websites with login attempts based on stolen or leaked credentials. They can then proceed to exploit the victims' personal data once they find the perfect mix of "old" credentials and a new website. 

Last year, these attacks grew so frequent that bulk lists of login names and passwords could be purchased for as little as $5 per million records on dark web marketplaces. Poor cyber-hygiene practices such as reusing the same passwords across many online accounts and employing easy-to-guess passwords could be blamed for the increase in attacks. 

“Recycling and using simple passwords make credential stuffing such a constant problem and effective tool for criminals. A successful attack against one account can compromise any other account where the same username and password combination is being used,” said Steve Ragan.

Panda Stealer Spreads Via Discord to Steal User Crypto-Currency


A new type of malware – Panda Stealer – is spreading through a spam campaign globally. Trend Micro researchers reported on Tuesday that they first encountered the latest stealer in April. In Australia, Germany, Japan, and the USA, the latest surge of the spam campaign seems to have the greatest effects. 

The spam emails hide and click booby-trapped Excel files as nothing more than a business quote application to attract victims. Researchers found 264 Panda Stealer-like files with Virus Total, some of which are exchanged by threat actors operating via Discord. 

Given recent developments, this isn’t shocking. The cybersecurity team in Cisco's Talos noticed recently that some threat actors are using workflow and communication resources such as Slack and Discord to sneak past safety and provide robbers, remote access trojans (RATs), and malware. Now again, the threatening actors may use Discord to share the Panda Stealer. 

If Panda becomes confident, it attempts to acquire information like private clues and past crypto-currency wallet activities such as Bytecoin (BCN), Dash (DASH), Ethereum (ETH), and Litecoin (LTC). It may also filter applications such as NordVPN, Telegram, Discord, and Steam in addition to stealing wallets. Panda could also take screenshots and swipe browser info, including cookies and passwords, through infected computers. 

The scientists found out two ways in which spam infects victims: An.XLSM attachment contains macros in one infection chain, which installs a loader that executes the criminal. An .XLS attachment including an Excel formula is also used in another infection chain to enable the instruction PowerShell to access, a Pastebin alternative which in turn is secondary encryption for PowerShell command. 

"The CallByName export function in Visual Basic is used to call a load of a .NET assembly within memory from a URL," Trend Micro says. "The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another URL." 

Panda Stealer is a modification to the DC Stealer malware Collector, that has been sold for as little as $12 on a hidden marketplace and via telegraph. It is announced as a "top-end information stealer" and also has a Russian connection. The Collector Stealer was broken by a threat actor, NCP, identified as su1c1de. The cracked stealer as well as the Panda Stealer act likewise but do not share the very same URLs, tags, or execution files. 

“Cybercriminal groups and script kiddies alike can use it to create their customized version of the stealer and C2 panel,” Trend Micro researchers said. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.” 

Trend Micro says that there are parallels to Phobos Ransomware in the attack chain. In particular, in its distribution method, the Phobos "Fair" version, as defined by Morphisec, is identical and is continuously being revised to cut down on its footprint, for example, to reduce encryption criteria, to remain underneath the radar as long as possible.

Slack and Discord are Being Hijacked by Hackers to Distribute Malware


A few famous online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to disperse malware, experts have cautioned.

Cisco's security division, Talos, published new research on Wednesday featuring how, throughout the span of the Covid-19 pandemic, collaboration tools like Slack and, considerably more generally, Discord have become convenient mechanisms for cybercriminals. With developing frequency, they're being utilized to serve up malware to victims in the form of a link that looks reliable. In different cases, hackers have integrated Discord into their malware to remotely control their code running on tainted machines, and even to steal information from victims. 

Cisco's researchers caution that none of the methods they found really exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victims' machine. All things considered, they essentially exploit some little-analyzed features of those collaboration platforms, alongside their ubiquity and the trust that both clients and systems administrators have come to place in them. 

"People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link," says Cisco Talos security researcher Nick Biasini. "Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them." 

With regards to information exfiltration, the Discord API, for instance, has demonstrated to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was intended to have the option to convey any kind of information, and malware oftentimes uses it to ensure stolen information arrives at its intended destination. 

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

As texting applications grow in popularity, the threats will develop with them. Organizations should know about the dangers, and cautiously pick which platform to utilize, the researchers concluded.

Insider Trading Threats on Dark Web


Insider trading can be done more effectively now than ever before, due to a great extent to the continuing proliferation of encrypted and anonymous messaging services, and the presence of dark web and underground networks that permit threat actors to discover co-conspirators and speak with them. Verifiably, few dark web forums catered to the trafficking of non-public corporate data; presently, updated technology takes into account these endeavors to be conducted with a lot more prominent operational security. 

Monetarily inspired threat actors or displeased employees would now be able to trade data away from the prying eyes of law enforcement and security researchers, permitting only vetted individuals to access sensitive information being given by insiders. 

Moreover, the clearnet is host to many market trading enthusiast groups, on places like Reddit and Discord. These groups range in size from thousands to millions of clients. Insikt Group found "stock signals" services, giving paid clients tips on which trades to make dependent on the proposal of “analysts”. Given that the root of the data is muddled, the unregulated nature of these services and the utilization of unknown messaging services is concerning. 

One of the verifiably significant sites had been The Stock Insiders, a Tor-based site, active from April 2016 until August 2018. As the name proposes, the site was made with the goal of having a community of clients with insider access at publicly traded companies who would impart it to different clients to advise the stock trades of the larger group. The site has for quite some time been inactive, the administrator isn't responsive to private messages, and there have not been any updates to the main page since early 2018. The explanation that operations stopped has not been clarified however it doesn't seem, by all accounts, to be the consequence of a law enforcement takedown since the website is still technically up. 

While the site is no longer active, it actually gives an instructive perspective on how its operations were done. The Stock Insiders has a couple of visible posts instructing clients about how to enlist an account and listing out the requirements for full membership.

Discord Cryptoscam: Scammers Lure Players to Fake Cryptocurrency Exchange Site


Experts at Kaspersky have issued a warning alarming that hackers are attacking Discord users, with a scam that focuses on counterfeit cryptocurrency transactions and using the bait of free Ethereum cryptocurrency or Bitcoins to steal user data and money. The cyber scam fools victims on cryptocurrency servers of Discord by sending users a message that looks like a legit ad of an upcoming trading platform that is doing cryptocurrency giveaway. The scammer then deploys social engineering techniques to generate sign-ups, as per the Kaspersky report.  

Experts believe that the ad offers such generous offers to get user interest, the offer depends on the message to message. However, the gist always remains the same, for instance, if the exchange will help the traders in dire times or is it just trying to lure new users. In this case, says Kaspersky, there'll be a lucky user who'd be chosen for the reward of free Ethereum cryptocurrency or Bitcoins. As we all know, the Discord platform was built solely for gamers, but various users, varying from study groups to cryptocurrency enthusiasts, use Discord's handy servers, channels, and private messages for communication. 

The user diversity becomes an easy target for hackers to scam. In this particular incident, the scammer first tried to send the victim a fake message with emojis and added details that contained a code to free cryptocurrency gifts. The message contained a malicious link that led the user to a fake cryptocurrency exchange domain. When the victim clicks the given link, he's redirected to a website (fake of course). The cryptocurrency exchange site has details like trading info, charts, and trading history (to make it look more genuine). 

"The attention to detail even extends to offering victims two-factor authentication to secure their accounts, plus antiphishing protection. Here, of course, the purpose is purely to add plausibility; the site’s true purpose is to transfer money from victim to criminal," reports Kaspersky. "The scammers claim to need a top-up — in our case, 0.02 BTC or an equivalent amount in Ethereum or US dollars. The scammers appear to be collecting a database to sell; many legitimate services, including financial ones," it further says.

Gamer Alert: More than 10 Billion Attacks On Gaming Industry In 2 Years

According to cybersecurity firm Akamai's recent report titled "State of the Internet/Security," the gaming sector has suffered a big hit in the previous two years. Experts have reported around 10 Billion cyberattacks on the gaming industry between June 2018 and June 2020.

Akamai recorded 100 Billion credential stuffing attacks during this period, out of which 10 Billion amount to attacks on the gaming sector. Besides credential stuffing, Akamai also recorded web application attacks. Hackers targeted around 150 Million web application attacks on the gaming sector.

"This report was planned and mostly written during the COVID-19 lockdown, and if there is one thing that's kept our team san; it is constant social interaction and the knowledge that we're not alone in our anxieties and concerns," says the report. Web application attacks mostly deployed SQL injections and LFI ( Local File Inclusion ) attacks as per the latest published report. It is because hackers can sensitive information of users on the game server using SQL and LFI.

The data can include usernames, account info, passwords, etc. Besides this, experts say that the gaming sector is also a primary target for DDoS (distributed denial-of-service) attacks. Between July 2019 and July 2020, Akamai identified 5,600 DDoS attacks, out of which hackers targeted 3000 attacks on the gaming sector. The increase in the attacks can be because most gamers don't pay much attention to cybersecurity.

According to data, 55% of gamers experienced suspicious activity in their accounts. However, just 20% of these gamers expressed concern about the compromise. Around 50% of hacked players feel that security is a mutual responsibility between gamers and gaming companies. 

Akamai emphasized their concern over the gaming sector becoming an easy target for the hackers. According to Akamai's report, "Web attacks are constant. Credential stuffing attacks can turn data breaches from the days of old (meaning last week) into new incidents that impact thousands (sometimes millions) of people and organizations of all sizes. DDoS attacks disrupt the world of instant communication and connection. These are problems that gamers, consumers, and business leaders face daily. This year, these issues have only gotten worse, and the stress caused by them was compounded by an invisible, deadly threat known as COVID-19."