Hackers have been observed using Discord to obtain data collected from compromised computers, experts warn.
In a new reportTrellix cybersecurity researcher Gurumoorthi Ramanathan has detailed the malware and the data exfiltration techniques used.
According to the report, the threat actors have built an advanced infostealer called NS-STEALER. They distribute it via ZIP archives masquerading as cracked software. When a victim unzips the archive file, he or she will find a Windows shortcut titled “Loader GAYve” which, if executed, will deploy a malicious Java program. This program will do two things: first it will create a folder called “NS-“, in which it will store all the collected information. Then it will start collecting the data.
Cost-effective data exfiltration
NS-STEALER searches for information stored in more than twenty browsers: cookies, login credentials, and autofill data. Then it starts taking screenshots of the infected device, collecting system information and the list of programs installed on the device. It will then retrieve Discord tokens and Steam and Telegram session data.
Finally, it will exfiltrate all of the above into a Discord Bot channel.
“Given its highly advanced feature of collecting sensitive information and using X509Certificate to support authentication, this malware can quickly steal information from the victim systems running (Java Runtime Environment),” said Ramanathan.
“The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective.”
This isn’t the first time hackers have found a way to abuse Discord for their nefarious purposes. In fact, Discord has been abused for years. In 2020, researchers at MalwareHunterTeam found a remote access trojan (RAT) that used Discord as a command and control (C2) server. That same year, researchers spotted a version of the AnarchyGrabber Trojan used to steal victims’ passwords and even command an infected client to spread malware to their Discord friends.