At least one Discord network search emerged with 20,000 virus results, found some researchers.
Cyber attackers are targeting workflow and collaboration tools in order to deliver info-stealers, remote-access trojans (RATs) and other forms of malware. In 2020, the coronavirus pandemic prompted the rapid expansion of the distributed workforce and in 2021, we’ve seen the cyber criminals cashing in.
Increasingly, attackers rely on apps, from Discord to Slack, in order to trick users into opening malicious electronic content. Employees report attacks via Agent Tesla, AsyncRAT, FormBook and other infections.
“One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked,” states a recent report. “By leveraging these chat applications that are likely allowed, they are removing several of those hurdles and greatly increase the likelihood that the attachment reaches the end user”.
The functionalities that make it easy to hack into a collaboration platform aren’t unique to Discord or Slack. Files may be uploaded to a given collaboration tool, enabling users to create external links for the file. Once fake file links are shared, the hackers are well on their way.
Malicious links of this nature can evade security detection. Employees may believe that emails from collaboration tool platforms represent genuine business communications. This is all the more likely to occur when fake file links are shared within the confines of the collaboration app channel itself.
A number of these messages allegedly emerge from financial transactions. Some purport to contain invoice information while others appear as ‘purchase orders’.
Collaboration app attack technicalities
Attackers are able to send malicious files to the CDN via encrypted HTTPS. The files will then be compressed, further hiding the malicious content. A variety of different compression algorithms typically come into the picture. These include .ACE, .GZ, .TAR and .ZIP, along with less commonly seen kinds, such as .LZH.
CDNs also enable cyber criminals to present additional bugs using multi-stage infection tactics. Researchers witnessed this behavior across malware types, noting that a single Discord CDN showed nearly 20,000 results in VirusTotal.
It’s a technique routinely observed across malware distribution campaigns that focus on RATs, stealers and other types of data exfiltration tools. To illustrate the type of attacks that have occurred on the Discord platform, researchers used the below screenshot to acknowledge a first-stage malware tasked with retrieving an ASCII blob from a Discord CDN.
Image courtesy of Threatpost.com
Information from the Discord CDN is commonly converted into the final malicious payload and hackers may load this onto systems remotely.
“As is common with Remcos infections, the malware communicated with a command-and-control server (C2) and exfiltrated data via an attacker-controlled DNS server,” states the report. Registry run entries are designed to invoke the malware after system restarts.
In one related campaign, AsyncRAT appeared as a blank Microsoft document. When a human opened the file, macros immediately delivered the payload.
Phony messages arrived in several different languages. These include English, French, Spanish, German and Portuguese.
Discord’s API and C2 communications
The API involved in the Discord platform has emerged as an effective tool with which hackers can siphon data from a network. The C2 communications occur via webhooks. These can send automated requests to a specific Discord server. These servers commonly connect to additional platforms, from DataDog to GitHub. Hackers can disguise their data exfiltration attempts through network masks.
“The versatility and accessibility of Discord webhooks makes them a clear choice from some threat actors,” states the report. “With merely a few stolen access tokens, an attacker can employ a truly effective malware campaign infrastructure with very little effort”. In addition, the ability to maintain anonymity throughout this process represents a significant draw for hackers.
Discord and access tokens
The Discord platform operates by generating an alphanumeric string for each user. These alphanumeric strings are also known as access tokens. The hijacking accounts with this information has cropped up as an issue. Online gamers represent key targets in this area.
Presently, Discord lacks client verification methods to prevent impersonation via stolen access tokens. As a result, those with stolen tokens have made their way across the web. GitHub and other forums may play an unintentional role in perpetuating the distribution of these tokens.
“In many cases, the token stealers pose as useful utilities related to online gaming, as Discord is one of the most prevalent chat and collaboration platforms in use in the gaming community”.
Hacked accounts anonymously deliver malware and may be repurposed for social engineering feats.
Collaboration app risks and solutions
In mitigating collaboration tool app risks, experts advocate for a multi-pronged approach. CISOs may consider implementing additional layers of security within systems. At the same time, the platforms themselves also require further security scrutiny.
CTO Mark Kedgley suggests that organizations take a closer look at user privileges. “To mitigate the risks, more focus on least privilege is needed, as it’s still too common for users to run with local admin rights…Email and office applications provide a number of hardened settings to combat malware and phishing; however, not enough organizations make use of them. Change control and vulnerability management as core security controls should be in place as well”.
Can businesses and/or users really attend to all of the inbound emails and messages that they receive these days? One strategy might be for organizations to narrow the attack surface. This may enable users to focus more closely on who they’re interacting with and for what reasons.
A glut of communication tools within a given organization may mean that users feel overwhelmed. As a result, users may respond too quickly or share information across communication tools without much thought, leading to diminished security and the escalation of a potential threat.
For more on this story, visit ThreatPost.