Connect with us

Hi, what are you looking for?

White Papers

Sophos uncovers malware targeting Discord chat platform

The number of URLs hosting malware on Discord’s Content Management Network during the second quarter of 2021 increased by 140% compared to the same period in 2020, according to Sophos telemetry.

Sophos, a global player in next-generation cybersecurity, published new research on how malware is increasingly targeting the Discord chat platform. The cyberthreats uncovered by Sophos include information-stealing malware, spyware, backdoors, and ransomware resurrected as “mischiefware.

The findings are based on Sophos researchers’ analysis of more than 1,800 malicious files detected by Sophos telemetry on the Discord Content Management Network and are detailed in a new SophosLabs Uncut article, “Malware Increasingly Targets Discord For Abuse.”

Among other things, the research reveals how the number of URLs hosting malware on Discord’s Content Management Network during the second quarter of 2021 increased by 140% compared to the same period in 2020, according to Sophos telemetry.

Sean Gallagher, senior threat researcher at Sophos, said:

Advertisement. Scroll to continue reading.

“Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram. Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering.

“These scams are not harmless – we found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as ‘mischiefware.’ The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key.

“Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed.

“Discord users, whoever they are and whatever they use the platform for, should remain vigilant to the threat of malicious content that’s lurking within the service and not just leave it to the Discord platform to identify and remove suspicious files. In addition, IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere.”

The Sophos investigation into malicious content linked to Discord found the following:

Advertisement. Scroll to continue reading.
  1. The malware is often disguised as gaming-related tools and cheats. Common “cheats” seen by Sophos researchers include modifications that allow players to disable an opponent or to access premium features for free – usually for a popular online game such as Minecraft, Fortnite, Roblox, and Grand Theft Auto. The researchers also found a lure that offered gamers the chance to test a game in development.
  2. Information-stealers are the most prevalent threat, accounting for more than 35% of the malware seen. More than 10% of the malware Sophos detected on Discord belongs to the “Bladabindi” family of information-stealing backdoors. Sophos researchers found several password-hijacking malware, including Discord security token “loggers” built specifically to steal Discord accounts. In another instance, the researchers found a modified version of a Minecraft installer that, in addition to delivering the game, installs a “mod” called “Saint.” Saint is, in fact, spyware, capable of capturing keystrokes and screenshots as well as images directly from the camera on an infected device.
  3. Sophos researchers also found repurposed ransomware, backdoors, Android malware packages, and more. The analyzed files included several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offering victims the chance to get a decryption key.

The Android malware comprised backdoors, droppers, and financial malware designed to steal access to online bank accounts and cryptocurrency. Sophos researchers also noticed that a file advertised as a “multitool for Fortnite” loads a Meterpreter backdoor and found many copies of a widely used stealer malware known as Agent Tesla that, once in place, also offers remote access to a victim’s computer and a platform to deliver other malware.

At a technical level, the researchers found some malware using the Application Programming Interface (APIs) of Discord “chatbots” to covertly communicate with and receive instructions from their command server. They also uncovered files that claim to install cracked versions of popular commercial software, such as Adobe Photoshop, and tools that claim to give the user access to the paid features of Discord Nitro, the service’s premium edition.

Staying safe on Discord

Sophos recommends that organizations using Discord for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ Discord accounts and ensure that all employees have up-to-date malware protection on any computer they use to access remote collaboration platforms for work-related projects.

Sophos Intercept X protects business users by detecting the actions and behaviors of malware, while Sophos Firewall inspects encrypted Transport Layer Security (TLS) traffic – now used by half of all malware for communications, according to Sophos research.

Sophos also advises consumers to install a security solution on the devices that they and their families use for online communications and gaming, such as Sophos Home, to protect everyone from malware and cyberthreats. It is also good security practice to avoid downloading and installing unlicensed software from any source, even if it seems to come from a known source.

Advertisement. Scroll to continue reading.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Smart also sounds the alarm on criminals using ‘fake cell towers’ to bypass network defenses. The Philippine National Police had earlier called on the...

HEADLINES

According to a report, downtime and lost productivity are the most concerning business problems caused by ineffective IT security, an opinion expressed by 38%...

HEADLINES

Companies plan to increase their IT security budgets by up to 9%. The median cybersecurity budgets for large enterprises were US $5.7M with US...

HEADLINES

Globe has been a consistent advocate for a safer and more responsible digital space

HEADLINES

The attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well...

HEADLINES

Financial phishing attacks are rapidly increasing in the country as cybercriminals continuously evolve and adapt their tactics, making them sophisticated. The number of attacks...

HEADLINES

A Scale of Harm study by the International Justice Mission revealed that almost half a million Filipino children were trafficked to produce new child...

HEADLINES

Yondu launched an extensive, month-long cybersecurity awareness campaign focused on modern threat detection, incident response, and social engineering defense.

Advertisement