Advanced Persistent Threats (APT) have been observed abusing Discord to attack critical infrastructure in Ukraine and steal sensitive data.
This is according to a new report from Trellix, where researchers said this was the first time that an APT (usually state or state-sponsored groups) abused the popular communication and collaboration platform to exfiltrate information.
According to the report, an unnamed threat actor was involved in a phishing attack, distributing a OneNote file called “dobroua.one” – a typed name of the Ukrainian non-profit organization dobro.ua. The file urged the reader to donate to the Ukrainian cause and offered a button called “Support”. Clicking on it will run an embedded Visual Basic Script (VBS) that, after a few steps, will start exfiltrating data through Discord’s webhook.
Highly targeted attacks
On Discord, a webhook is a utility designed to send messages to text channels without the need for the Discord application. It is also an automation feature that in this particular case allows the attacker to send files and other data stored on the victim’s machine.
Trellix believes the attack is highly targeted as it has not seen any further related examples in its telemetry. “This suggests that the attack targeted only the Ukrainian critical infrastructure organizations where the sample was recovered, and that any further stages, apart from those described, could not be retrieved,” they explained.
It’s also worth noting, the researchers say, that the campaign was likely in its early stages, as its final payload consisted solely of collecting system information. “The actor could deliver a more sophisticated piece of malware to the compromised systems in the future by modifying the file stored in the GitHub repository,” the researchers warn.
One of the reasons why Discord is not more widely used by APTs is the lack of full control over the C2 server. Should they become compromised, Discord can terminate their account at any time, potentially cutting off access to any sensitive information they may have acquired in the meantime.
Through BleepingComputer