Every day, cyber attackers work to find new ways to launch more sophisticated and disruptive attacks, bypass identity security, and steal corporate data. All companies, regardless of size, are potential targets and must do their best to minimize risks.
More specifically, malware operators have begun abusing online chat services to gain access to private conversations, impersonate victims, and steal sensitive information. And with over 300 million active users, the highly popular online chat service Discord is the perfect tool to carry out such identity-related attacks. Discord was initially aimed at gaming communities, but is now used by a more diverse population, including developers looking to create apps that free up time to work on more complex projects.
However, Discord users don’t necessarily realize the risks they face when using the platform. It’s crucial that people are aware of how easy it is for attackers to abuse Discord’s features to develop malware, while making the threats virtually impossible to detect and combat. Malware operators employ common attack methods on Discord, and understanding these methods will be critical for users to implement a robust identity security strategy, defend themselves, and protect their information.
Malware researcher at CyberArk.
Users’ credit card information is at risk
The moment Discord Nitro — which allowed users to share larger files, longer messages, access higher quality video streaming, and much more — was released was when malware first appeared on the platform. As with many premium features, Discord Nitro became highly sought after among users, inspiring some to try it without paying the required fee. This led to users resorting to nefarious methods to obtain Nitro, such as brute force gift keys and social engineering.
Eventually, some malicious users took it a step further and used malware to target others on the platform, steal their credit card information, and remotely purchase Discord Nitro gift keys to acquire Discord Nitro. Malware operators then resell these gift keys for profit without the victims’ knowledge, posing real identity security challenges. And these methods aren’t just used to target users. In fact, a newly found malware group called Kurdistan 4455 has adopted these hacking techniques for their own benefit, targeting other malware groups instead of users to fund their own attack campaigns.
Raise awareness about how attackers abuse Discord’s features
Malware operators use a number of tactics to make it virtually impossible for users to identify threats. One strategy is to use a Content Delivery Network – a file hosting service that provides high availability and uptime – to host the payloads that their tools can download and run. Because these payloads are hosted on a popular service and secured via HTTPS, it is very difficult to determine the difference between malicious and benign files.
Command & Control (C&C) communication via Discord’s API is another method used by malware operators. The API enables easy communication between users on the platform and the program. As a result, implementing C&C communications via the API is a simple process. This form of C&C communication is difficult to monitor and defend against because it communicates with a single endpoint that is accessible through legitimate services.
Webhooks are another relatively new Discord feature that was introduced in 2020 and is now being used maliciously. This new feature allows server owners to create a webhook for each channel they manage and send messages to it via the webhook, via a simple HTTPS request. This feature is a great way to safely and quickly inform users about specific actions. It was originally designed to perform actions such as notifying a new git pull request, but attackers have subsequently started abusing this feature to exfiltrate stolen data from their targets.
Access sensitive information via Discord malware
Another technique that is increasingly used is injecting a payload into Discord’s source code. This is possible because all source code for the app is hosted locally in plaintext and is not checked for tampering before execution.
In addition, the method is used for two important reasons; The first is persistence. Because the payload is part of the Discord app source code, it is executed upon launching the app, usually upon login.
The second focuses on connecting with Discord’s customers. Malware operators can bypass identity protection by impersonating targets and spoofing requests into the victim’s identity. This gives them the ability to perform actions such as exfiltrating all private conversations, creating fake messages, and purchasing Discord Nitro gift keys. This is a popular method to steal money without leaving an easy-to-follow trail. While this approach may sound attractive, there are some drawbacks: for example, the option to inject code into Discord may be removed when new updates are released, and this method requires an initial ‘injector’ to inject the payload into the app’s source to insert. code.
The growing trend of developing malware directly on GitHub
Threat actors have also started using GitHub to develop malware that can target Discord (commonly called “Discord Stealer”), allowing operators to easily take a repository, clone it, compile it, and in minutes have a functioning malware sample they can to stake. infect victims.
CyberArk Labs team research on Discord malware found that 44.5% of repositories were written in Python and were standalone malware, and 20.5% were written in JavaScript. These repositories mainly take the approach of injecting code into Discord. In recent years, this method has become increasingly popular.
The increasing popularity of Discord is expected to bring more challenges
Attackers can easily abuse Discord’s infrastructure for malicious purposes. As Discord becomes more popular among enterprise developers, companies can only anticipate a greater risk of being targeted by malware operators on the platform. And this phenomenon will most likely spread to other online chat services.
Organizations must assume that danger is everywhere and keep in mind that new threats emerge every day. Attackers are constantly innovating to find unexpected ways to attack and exploit companies’ vulnerabilities. And companies, in turn, must innovate to strengthen their defense strategy – only then will they be able to understand the risks and anticipate the threat.
We have listed the best protection against identity theft.