Cybercriminals continue to abuse tools like Discord to host, share and organize malware campaigns. Sophos researchers concluded that the number of malicious URLs (malware hosted on domains) has grown almost 140 times in the last two months, compared to the same period in 2020. Discord hosts 4% of all Transport Layer Security (TLS) protected malware downloads detected by Sophos security monitoring solutions.
A Sophos investigation into the use and sharing of malware via TLS identified that more than half of malware-generated network traffic uses TLS encryption, and 20% of that half have adopted tools like Discord as one of the main channels to infect new victims.
“Discord provides a persistent and highly available global distribution network for malware operators, as well as a messaging system that these operators can adapt into command and control channels for their malware — just as attackers used Internet Relay Chat and Telegram. Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering”, explains Sean Gallagher, one of the Sophos researchers responsible for the study.
Cybercriminal campaigns disguise their communication as if they were gaming communities, usually the most popular ones like Minecraft, Fortnite, Roblox and Grand Theft Auto (GTA), offering malware infected downloads, mods and expansion packs. An example is a pirated Minecraft installer that includes a mod called “Saint”. Saint, however, is a spyware keylogger, which collects every keystroke and sends screenshots of the victim from time to time to attackers..
Just over 10% of the malware analyzed in Discord belongs to the Bladabindi family, backdoors focusing on data theft. But malware designed to steal passwords, security tokens, and credential-related data is also easily found.. Researchers have even found malware focused on theft of Discord’s own credentials. were also found Android malware and various types of ransomware.
Old problem
The use of tools considered safe (such as Slack and Discord) by cybercriminals has been growing steadily since the beginning of the new coronavirus pandemic (SARS-CoV2).
Gallagher believes that these abuses have been increased by the fact that more and more companies are using Discord for confidential communication of work-related matters, sharing files with internal data, which can be very interesting for cybercriminals.
The researcher recommends that any user pay attention and only get involved in trusted communities. Although the platform removes some malicious links automatically, “opponents can be hiding anywhere”.
