INTELLIGENT BRANDS // Enterprise Security

Andrew Brandt , SophosLabs Principal Researcher , and Sean Gallagher , Senior Threat Researcher at Sophos , tell us that cybercriminals abuse a successful chat service to host , spread and control malware targeting their users .

During the timeframe of that research , we found that 4 % of the overall TLS-protected malware downloads came from one service in particular : Discord . The growing popularity of the game-centric text and voice chat platform has not failed to draw the attention of malware operators .

Discord operates its own content delivery network , or CDN , where users can upload files to share with others . The service also publishes an API , enabling developers to create new ways to interact with Discord other than through its client application . We observed significant volumes of malware hosted in Discord ’ s own CDN , as well as malware interacting with Discord APIs to send and receive data .

As the origins of the service were tied to online gaming , Discord ’ s audience includes large numbers of gamers – including players of youth-oriented titles such as Fortnite , Minecraft or Roblox . Among the malicious files we discovered in Discord ’ s network , we found game cheating tools that target games that integrate with Discord , in-game . The tools allegedly make it possible , exploiting weaknesses in Discord ’ s protocols , for one player to crash the game of another player . We also found applications that serve as nothing more than harmless , though disruptive , pranks .

But the greatest percentage of the malware we found have a focus on credential and personal information theft , a wide variety of stealer malware as well as more versatile RATs . The threat actors behind these operations employed social engineering to spread credential-stealing malware , then use the victims ’ harvested Discord credentials to target additional Discord users .

We also encountered several ransomware families hosted in the Discord CDN – largely older ones , usable only to cause harm , as there ’ s no longer a way to pay the ransom . Files hosted on Discord also included multiple Android malware packages , ranging from spyware to fake apps that steal financial information or transactions .

Growing abuse of all kinds

Abuse of Discord , like abuse of any webbased service , is not a new phenomenon , but it is a rapidly growing one : Sophos products detected and blocked , just in the past two months , nearly 140 times the number of detections over the same period in 2020 . In April , we reported over 9,500 unique URLs hosting malware on Discord ’ s CDN to Discord representatives .

In the second quarter , we detected 17,000 unique URLs in Discord ’ s CDN pointing to malware . And this excludes the malware not hosted within Discord that leverage Discord ’ s application interfaces in various ways . At just prior to publication time , more than 4,700 of those URLs , pointing to a malicious Windows . exe file , remained active . p

Several password-hijacking malware families specifically target Discord accounts . SophosLabs also found malware that leveraged Discord chat bot APIs for command and control , or to exfiltrate stolen information into private Discord servers or channels .

68 INTELLIGENTCIO LATAM www . intelligentcio . com