Every day, cyber-attackers are working on finding new ways to perform more advanced and disruptive attacks, bypass identity security and steal companies’ data. All businesses, no matter their size, are potential targets and should do their best to minimize the risks.
More specifically, malware operators have started to exploit online chatting services to access private conversations, impersonate victims and steal sensitive information. And, with more than 300 million active users, the very popular online chat service Discord is the perfect tool to perform such identity-related attacks. Discord was initially aimed at gaming communities but is now being used by a more diverse population, including developers who want to create apps that free up their time to work on more complex projects.
However, Discord users do not necessarily realize the risks they face when using the platform. It is key for people to be aware of how easy it is for attackers to abuse Discord’s features to develop malware while making sure the threats are nearly impossible to detect and mitigate against. Malware operators employ common attack methods on Discord, and understanding these methods will be vital for users to implement a robust identity security strategy, defend themselves, and protect their information.
Malware Researcher at CyberArk.
Users’ credit card information is at risk
The moment when Discord Nitro – which allowed users to share larger files and longer messages, access higher quality video streaming, and much more – was released is when malware first appeared on the platform. As with many premium features, Discord Nitro became highly desirable amongst users, inspiring some to try and get it without paying the required fee. This led users to users resorting to nefarious methods to obtain Nitro, such as brute-forcing gift keys and social engineering.
Eventually, some malicious users went one step further and used malware to target others on the platform, steal their credit card information, and remotely purchase Discord Nitro gift keys to acquire Discord Nitro. Malware operators then resell these gift keys for profit without the victims’ knowledge, which places real challenges on identity security. And these methods are not just used to target users. In fact, a newly found malware group named Kurdistan 4455 has adopted those hacking techniques for their own benefit, targeting other malware groups instead of users to fund their own attack campaigns.
Raising awareness on how attackers are misusing Discord’s features
Malware operators employ a number of tactics to make it nearly impossible for users to identify threats. One strategy is to use a Content Delivery Network – a file hosting service which offers high availability and uptime – to host payloads their tools can download and run. Since these payloads are hosted on a popular service and secured by HTTPS, it is very difficult to pinpoint the difference between malicious and benign files.
Command & Control (C&C) communication over Discord’s API is another method used by malware operators. The API allows simple communication between users on the platform and the program. As a result, implementing C&C communication over the API is a straightforward process. This form of C&C communication is challenging to monitor and defend against because it is communicating with a single endpoint which is accessible through legitimate services.
Webhooks are another relatively new Discord feature introduced in 2020, now used maliciously. With this new feature, server owners can create a webhook for any channel they control and deliver messages to it through the webhook, via a simple HTTPS request. This feature is a great way to inform users of specific operations securely and quickly. It was originally designed to execute actions such as notification of a new git pull request, but attackers have then started abusing this feature to exfiltrate stolen data from their targets.
Accessing sensitive information through Discord’s malware
Another technique being increasingly used is injecting a payload into Discord’s source code. This is feasible because all the source code for the app is hosted locally in plaintext and isn’t checked for tampering before being run.
As well as this, the method is employed for two main reasons; The first is persistence. As the payload is part of Discord’s app source code, it gets executed at the app’s start, which is usually at logon.
The second centers on connecting with Discord’s clients. Malware operators are able to bypass identity security to impersonate targets and forge requests in the victim’s identity. This gives them the ability to carry out actions such as exfiltrating all private conversations, creating fake messages and purchasing Discord Nitro gift keys. This is a popular method to steal money without leaving an easy trace to follow. While this approach might sound appealing, there are a number of drawbacks — for example, the option to inject code into Discord might be removed when new updates are released, and this method requires an initial “injector” to insert the payload into the app’s source code.
The growing trend of developing malware directly on GitHub
Threat actors have now also started using GitHub to develop malware to target Discord (usually called “Discord Stealer”), allowing operators to easily take a repository, clone it, compile it and, within minutes, have a functioning malware sample they can deploy to infect victims.
CyberArk’s Labs team’s research into Discord malware revealed 44.5% of repositories are written in Python and are standalone malware, and 20.5% are written in JavaScript. These repositories mainly take the approach of injecting code into Discord. In the past few years, this method has become more popular.
Discord’s increasing popularity is expected to bring more challenges
Attackers can easily take advantage of Discord's infrastructure for harmful purposes. As Discord is becoming more popular among corporate developers, businesses can only anticipate a higher risk of being targeted by malware operators on the platform. And this phenomenon will most likely expand to other online chatting services.
Organizations should assume the danger is everywhere and must keep in mind new threats are arising every day. Attackers are constantly innovating to find unexpected ways to target and exploit companies’ vulnerabilities. And businesses must in turn innovate to strengthen their defense strategy – only then will they be able to understand the risks and anticipate the threat.
