How Malware is increasingly abusing Discord’s CDN.

Spread the love

The would-be IRC replacement is just as useful for hackers.

More and more malware is using Discord's CDN for abuse

And that figure only includes malware hosted by the service, which stores files on Google Cloud and uses Cloudflare as a frontend. The massive figure does not include malware hosted elsewhere that makes use of the CDN’s infrastructure; Discord’s chatbot APIs have been used for command-and-control of malware in infected targets, as well as for exfiltrating stolen data into private servers.

A report by Sophos has exposed the scale and variety of malware using the Discord’s CDN: “Sophos products detected and blocked, just in the past two months, nearly 140 times the number of detections over the same period in 2020,” said authors Sean Gallagher and Andrew Brandt, with 17,000 unique URLs found pointing to malware in the second quarter of 2021.

And that figure only includes malware hosted by the service, which stores files on Google Cloud and uses Cloudflare as a frontend. The massive figure does not include malware hosted elsewhere that makes use of the CDN’s infrastructure; Discord’s chatbot APIs have been used for command-and-control of malware in infected targets, as well as for exfiltrating stolen data into private servers.

READ ALSO:  Facebook's new AI model can translate one language directly to another without using English

Malware on the platform varies, but the majority of it, according to the authors, is focused on data theft, either through direct credential-stealing or remote access trojans (RATs). Threats to Android platforms were also observed, ranging from ad clickers to banking Trojans, as well as expired ransomware with no way to pay the attackers.

A representation of a subset of malicious (red) and benign (black) files hosted on Discord’s CDN.

Discord is a popular messaging platform that was originally designed for gaming communities, and they still have a significant presence on the platform, so it’s not surprising that many of the malicious files hosted and distributed on it are related to gaming.

For example, researchers identified a modified Minecraft installer that also captured keystrokes, screenshots, and camera images, as well as a “multitool for FortNite” (sic) that infected systems with a Meterpreter backdoor.

Others targeted Discord directly, stealing credentials and authentication tokens or masquerading as software ranging from private browsers to cracked Adobe applications.

The promise of generating keys for Discord’s premium Nitro service was frequently used to entice users, as was social engineering. One example immediately attempted to locate and terminate processes for dozens of security tools, as well as built-in Windows protection features – though, if it’s any consolation, many of these trojans, like the aforementioned ransomware, were old enough that they were attempting to phone home to servers that weren’t available to respond.

READ ALSO:  Lagos govt meets with Uber, Taxify operators, gives new directives

Finally, Discord’s freemium model, which it relies on for accessibility, works against it here. While many desirable quality-of-life features are paywalled behind Nitro, free accounts can still upload files (albeit with a size limit) and communicate with its APIs.

This allows threats to reappear with new accounts; while Discord removed much of what the researchers discovered, they discovered that new malware was constantly being uploaded or communicating with Discord.

 

 381 

Leave a Reply