April 14 – Cyber security researchers have uncovered a new malware that’s distributed via the popular social media platform known as Discord, which retains over 300 million active users. The malware is known as Vare and it uses Discord’s infrastructure for the backbone of its operations.

Vare malware, Discord

The malware has been connected to a new band of cyber attackers who are based in southern Turkey. The attackers seem to be targeting other hackers with their malware, rather than individuals or organizations, although the threat to businesses is not zero percent.

Discord’s support team has been notified about the different ways in which attackers may misuse Discord’s features. Researchers have not yet received a definitive response from Discord.

Origins of Vare malware

The origins of the Vare malware on the platform can be traced back to the introduction of Discord Nitro. If willing to pay a monthly fee, Nitro enables users to send larger files and longer messages with high quality video streaming – a convenient service for some professionals.

Security researchers scanned and analyzed 2,390 of GitHub’s public repositories related to Discord malware. They found that 44.5% of repositories are written in Python; as is Vare.

“Vare is a perfect case of how publicly available repositories are being used to help arm cyber crime groups and how attackers can leverage Discord’s infrastructure maliciously.”

Since Discord is a popular platform among corporate developers, these developers could potentially place their organizations at risk if the malware is able to infect their endpoints.

Further Discord malware

In the past, researchers have observed other malicious programs on the Discord site. Examples include adware, Remote Access Trojans (RATs), and spyware. However, what’s most relevant for organizations is as follows…

In the month of February, cyber criminals targeted APAC and North American governments with phishing emails that contained malicious Discord links pointing to password-protected zip files. In turn, files contained a .NET malware downloader known as PureCrypter.

During the second stage of the attack, the loader would try to download a payload from the group’s command and control (C2) infrastructure; a compromised domain belonging to a non-profit organization.

Malicious payloads observed in this campaign included various info-stealers and ransomware variants: Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.

In one sample analyzed by security teams, PureCrypter attempted to download AgentTesla, an advanced backdoor that steals browser-based passwords, and that takes screen captures and that logs keystrokes.

While AgentTesla has existed for years, it continues to prove popular among cyber criminals. Via Discord, cyber adversaries ultimately intend to steal stored passwords from browsers, login information on clipboards, and screen captures, among other things.

More insights

For further malware insights, please see CyberTalk.org’s past coverage. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter. Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.