How Malware is Targeting Discord
By Nick Anderson 5 minutes
If there’s one thing you can expect about malware is that it targets active platforms. If a platform has a large number of active users, malware will most likely find its way. The same is true for Discord, where ransomware has been making rounds infecting people in its wake. What is Discord malware? Here’s what you need to know to keep yourself protected.
Why is Discord Popular?
Discord is a chat application that is most popular among gamers. But, it is more than just a voice communication tool, it can also host communities. Discord is an elaborate platform where you can create communities (called servers), set up dedicated channels within each community to create discussion groups, and send texts, video, audio, and attachments.
It is heavily favored by gamers thanks to its array of features like live gameplay broadcast, screen sharing, custom emojis. But more importantly, Discord’s voice communication does not affect performance, which is crucial while playing competitive online multiplayer.
Since its introduction in 2015, Discord has grown to be a platform of 150 million active users. It’s free-to-use but offers a premium subscription known as Discord Nitro. The subscription carries benefits like using custom emojis on any server and sending larger files.
How Malware is Affecting Discord
Malware often relies on human error to get past undetected, like getting you to open a link that appears innocuous. The malware affecting Discord is leveraging the platform’s functionality to host and deliver malicious links.
Discord allows users to share photos and videos. It’s uploaded to Discord’s CDN (Content Delivery Network) and shown to you via a link. You don’t see a URL, but it will take you to a URL hosted on Discord if you were to click on the shared photo. Anyone with the link can open and see the attachment even if they are not a Discord user.
Bad actors are exploiting it to obfuscate harmful attachments that infect your device when you click on them. Discord is relatively new and driven by communities. The social circles create a sense of trust, which can be exploited. What’s more concerning is that the malware stays on Discord’s CDN even if the user has deleted the original link. And because of compression, Discord has a harder time detecting those malicious attachments.
Discord Malware Example
Research conducted by Cisco has reported the several ways Discord’s core functionality is being abused for malicious purposes.
In one example, the research showed how a malicious email appears to contain a PDF attachment but is actually an image. The URL underneath takes you to an ISO file hosted on Discord’s CDN. The ISO file contains an executable that downloads the Formbook malware, which is designed to steal information from the user’s device, such as login credentials.
The CDN functionality also allows attackers to host other parts of malware; think of it as phase 2 of malware injection. In this example, a RAT was identified after the last payload was retrieved from the CDN. Remote Access Trojan (RAT) malware connects to a command center to receive attack instructions. Multiple infected devices with the said malware can create a botnet, which can then be utilized for DDoS attacks.
Webhook is a part of Discord API that allows developers to link other apps with Discord to send texts and updates to servers in Discord. Attackers are using webhooks to relay information back from infected computers. The report notes that using webhook to exfiltrate data is easy and goes undetected because it blends in with Discord’s HTTPS traffic.
Malware Types Affecting Discord Users
Zscaler’s research identified four types of malware or attacks affecting users on Discord:
- Epsilon ransomware
- Redline stealer
- XMRig miner
- Token grabbers
XMRig is a malware that mines for computing resources. Once it infects your device, it will leech off resources to mine and connect to the command center. A mining program will have a significant impact on performance that will be immediately noticeable. If you use Discord and have noticed an unexplainable drop in performance, run an anti-virus scan.
The miner also disables some programs likely to be on your device, like popular games. It will also block Task Manager so that you cannot identify which process is leeching resources.
Lastly, token grabbers are attempting to give control of your account to an attacker. Tokens are used to build sessions for users. Your account can be breached if someone gets a hold of your token. Remember webhooks? Attackers are using them to exfiltrate tokens from the user back to the attacker.
We’ve recently discussed in our blog how a ransomware attack crippled the U.S fuel supply. It’s particularly dangerous because ransomware like Epsilon encrypt data on your device. It holds your data hostage in exchange for a ransom. Epsilon uses Discord’s CDN to fetch the ransom note – that’s the level of abuse the platform is having to go through.
While Discord says it continues to monitor for malicious and acts on links reported by users, malware still exists on the platform. The discussion around how Discord is being abused speaks volumes about the lengths to which hackers will go to spread malware. Once again, we will stress the importance of investing in anti-virus software robust enough to deal with various malware.
Secondly, only open attachments from people you know. Free Discord Nitro messages sound exciting, but it’s just another clever attempt to push malware onto your device.