Sophos has just published new research on how malware is increasingly targeting the Discord chat platform. The cyber threats uncovered by Sophos include information-stealing malware, spyware, backdoors, and ransomware resurrected as “mischiefware.”
The findings are based on Sophos researchers’ analysis of more than 1,800 malicious files detected by Sophos telemetry on the Discord Content Management Network (CDN), and are detailed in a new SophosLabs Uncut article, “Malware Increasingly Targets Discord For Abuse.”
Among other things, the research reveals how the number of URLs hosting malware on Discord’s CDN during the second quarter of 2021 increased by 140% compared to the same period in 2020, according to Sophos telemetry.
Sean Gallagher, senior threat researcher at Sophos said Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram.
“Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering. These scams are not harmless – we found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as ‘mischiefware.’ The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key,” said Sean Gallagher.
“Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed,” said Sean Gallagher.
Discord users, whoever they are and whatever they use the platform for, should remain vigilant to the threat of malicious content that’s lurking within the service and not just leave it to the Discord platform to identify and remove suspicious files.
“In addition, IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere,” said Sean Gallagher.
The Sophos investigation into malicious content linked to Discord found the following:
1. The malware is often disguised as gaming-related tools and cheats. Common “cheats” seen by Sophos researchers include modifications that allow players to disable an opponent or to access premium features for free – usually for a popular online game such as Minecraft, Fortnite, Roblox, and Grand Theft Auto. The researchers also found a lure that offered gamers the chance to test a game in development.
2. Information-stealers are the most prevalent threat, accounting for more than 35% of the malware seen. More than 10% of the malware Sophos detected on Discord belongs to the “Bladabindi” family of information-stealing backdoors. Sophos researchers found several password-hijacking malware, including Discord security token “loggers” built specifically to steal Discord accounts. In another instance, the researchers found a modified version of a Minecraft installer that, in addition to delivering the game, installs a “mod” called “Saint.” Saint is in fact spyware, capable of capturing keystrokes and screenshots as well as images directly from the camera on an infected device.
3. Sophos researchers also found repurposed ransomware, backdoors, Android malware packages, and more. The analysed files included several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offering victims the chance to get a decryption key.
The Android malware comprised backdoors, droppers and financial malware designed to steal access to online bank accounts and cryptocurrency. Sophos researchers also noticed that a file advertised as a “multitool for FortNite” loads a Meterpreter backdoor and found many copies of a widely used stealer malware known as Agent Tesla that, once in place, also offers remote access to a victim’s computer and a platform to deliver other malware.
At a technical level, the researchers found some malware using the Application Programming Interface (APIs) of Discord “chat bots” to covertly communicate with and receive instructions from their command server. They also uncovered files that claim to install cracked versions of popular commercial software, such as Adobe Photoshop, and tools that claim to give the user access to the paid features of Discord Nitro, the service’s premium edition.
Staying safe on Discord
Sophos recommends that organizations using Discord for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ Discord accounts and ensure that all employees have up-to-date malware protection on any computer they use to access remote collaboration platforms for work-related projects.
Sophos Intercept X protects business users by detecting the actions and behaviors of malware, while Sophos Firewall inspects encrypted Transport Layer Security (TLS) traffic – now used by half of all malware for communications, according to Sophos research.
Sophos also advises consumers to install a security solution on the devices that they and their families use for online communications and gaming, such as Sophos Home, to protect everyone from malware and cyberthreats. It is also good security practice to avoid downloading and installing unlicensed software from any source, even if it seems to come a known source.