Discord Used to Deliver Malware
Discord's Content Delivery network and core features are being used to send malicious files across its network of 150 million users, putting corporate workplaces at risk. Hackers are abusing the core features of the popular Discord digital communication platform to persistently deliver various types of malware, mainly remote access trojans, that can take over systems–putting its 150 million users at risk. RiskIQ and CheckPoint discovered malware being sent in messages across the platform, which allows users to organize Discord servers into topic-based channels which images, voice files or other executables can be shared. Those files are then stored on Discord's Content Delivery Network (CDN) servers.
Researchers warn that a lot of files sent across the Discord platform are malicious, pointing to significant abuse of its self-hosted CDN by hackers by creating channels with the goal of delivering malicious files. Discord mainly attracts gamers, but the platform is also being used by organizations for workplace communication. The storage of malicious files on Discord's CDN and proliferation of malware on the platform mean that many organizations could be risking their network.
The latest malware found have the capability to take screenshots, download and execute additional files, and perform keylogging according to Idan Shechter and Omer Ventura from Checkpoint Security. CheckPoint also found that the Discord Bot API, which is a simple Python implementation that simplifies modifications and shortens the development process of bots on the platform, can easily turn the bot into a simple RAT to gain full access and remote control of a system. Discord bots are becoming an integral part of how users interact with Discord by giving users the ability to integrate code for enhanced features.
RiskIQ researchers examined Discord CDN URLs containing .exe, DLL and various document and compressed files. upon review of the hashes on VirusTotal, more than 100 were delivering malicious content. Eighty files were from 17 different malware families, with trojans making the most common malware observed on the platform. RiskIQ researchers took a deeper look into how Discord CDN uses a Discord domain through links that use hxxps://cdn.discordapp.com/attachments/{ChannelID}/{AttachmentID}/{filename} as the format to discover malware, they said. Researchers detected links and queried Discord channel IDs used in these links, which enabled them to identify domains containing web pages that link to a Discord CDN link with a specific channel ID.
RiskIQ also discovered that the channel ID for a URL contained a Raccoon password stealer file returned a domain for Taplink, a site that provides users with micro landing pages to direct individuals to their Instagram and other social media pages. Querying these IDs enables RiskIQ users to understand which Discord files and associated infrastructure are concerning and where they are across the web. The technique allowed researchers to determine the date and time Discord channels were created with the sole purpose of distributing malware.
The findings demonstrate numerous holes with platforms that people widely use to communicate and share files that rely on the use of encrypted traffic for security. However, encrypting traffic on APIs alone is not sufficient to keep malware off a content delivery network. The findings also highlights a problem in the development of communication platforms, more emphasis on functionality rather than security. Discord's bot framework appears to be powerful and time-saving, but with great power also comes great responsibility, and Discord's bot framework can be easily used for malicious intent.