APT groups have recently been observed using Discord to target critical infrastructure [1] [3], marking the first known instance of such abuse. This raises concerns about the adaptability of cybercriminals and the potential for APT malware campaigns using Discord.

Description

According to the Trellix Advanced Research Center, APT groups have started using Discord for exfiltration purposes. In a recent phishing attack [3], a OneNote file named “dobroua.one” was distributed [1], posing as a donation request for a Ukrainian non-profit organization [1]. The file contained an embedded VBS script that exfiltrated data through Discord’s webhook [3]. This discovery suggests a change in the usage of Discord by APT groups, as historically they have not abused it due to lack of control over the command-and-control server [8].

The researchers have not yet found any strong indicators linking this sample to a known APT group [8], but investigations are ongoing [8]. They believe that the campaign is still in its early stages and warn of the potential for the actor to deliver more sophisticated malware in the future [3].

Discord’s content delivery network (CDN) and webhooks are being exploited by various malware families, including SmokeLoader [2], PrivateLoader [5] [7], GuLoader [5] [7], Mercurial Grabber [5] [7], Typhon Stealer [5] [7], and Venom RAT [5] [7]. This demonstrates the adaptability of cybercriminals to exploit collaborative applications like Discord [2] [5]. The abuse of Discord’s CDN and webhooks allows cybercriminals to host malware, steal sensitive data [1] [2] [3] [4] [5] [7], and distribute additional malware payloads [4].

The potential emergence of APT malware campaigns using Discord introduces a new layer of complexity to the threat landscape [4]. APTs can infiltrate widely used communication platforms like Discord to establish long-term footholds in networks [4] [7], putting critical infrastructure and sensitive data at risk [2] [4] [5] [7]. At least 10,000 malware samples have been found to use Discord’s CDN to load second-stage payloads [6], and 17 malware families have been identified that use Discord webhooks to collect various types of data from infected systems.

Conclusion

The abuse of Discord’s CDN and webhooks by cybercriminals poses significant risks. It allows for the stealthy exfiltration of data, making detection difficult [6]. Mitigating this threat requires increased awareness and security measures. The potential for APT groups to utilize Discord for their operations highlights the need for ongoing monitoring and proactive defense strategies. As cybercriminals continue to adapt and exploit collaborative applications, it is crucial to stay vigilant and implement robust security measures to protect critical infrastructure and sensitive data.

References

[1] https://weis.com/a-new-wave-of-discord-malware-is-on-the-rise-heres-what-you-need-to-know/
[2] https://patabook.com/technology/2023/10/17/discord-a-playground-for-nation-state-hackers-targeting-critical-infrastructure/
[3] https://www.techradar.com/pro/security/a-new-wave-of-discord-malware-is-on-the-rise-heres-what-you-need-to-know
[4] https://jn66dataanalytics.com/news/discord-a-playground-for-nation-state-hackers-targeting-critical-infrastructure-the-hacker-news
[5] https://thehackernews.com/2023/10/discord-playground-for-nation-state.html
[6] https://www.redpacketsecurity.com/discord-still-a-hotbed-of-malware-activity-now-apts-join-the-fun/
[7] https://www.443news.com/2023/10/a-playground-for-nation-state-hackers-targeting-critical-infrastructure/
[8] https://www.trellix.com/en-us/about/newsroom/stories/research/discord-i-want-to-play-a-game.html