Connect with us

Hi, what are you looking for?

White Papers

Sophos uncovers malware targeting Discord chat platform

The number of URLs hosting malware on Discord’s Content Management Network during the second quarter of 2021 increased by 140% compared to the same period in 2020, according to Sophos telemetry.

Sophos, a global player in next-generation cybersecurity, published new research on how malware is increasingly targeting the Discord chat platform. The cyberthreats uncovered by Sophos include information-stealing malware, spyware, backdoors, and ransomware resurrected as “mischiefware.

The findings are based on Sophos researchers’ analysis of more than 1,800 malicious files detected by Sophos telemetry on the Discord Content Management Network and are detailed in a new SophosLabs Uncut article, “Malware Increasingly Targets Discord For Abuse.”

Among other things, the research reveals how the number of URLs hosting malware on Discord’s Content Management Network during the second quarter of 2021 increased by 140% compared to the same period in 2020, according to Sophos telemetry.

Sean Gallagher, senior threat researcher at Sophos, said:

Advertisement. Scroll to continue reading.

“Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram. Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering.

“These scams are not harmless – we found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as ‘mischiefware.’ The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key.

“Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed.

“Discord users, whoever they are and whatever they use the platform for, should remain vigilant to the threat of malicious content that’s lurking within the service and not just leave it to the Discord platform to identify and remove suspicious files. In addition, IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere.”

The Sophos investigation into malicious content linked to Discord found the following:

Advertisement. Scroll to continue reading.
  1. The malware is often disguised as gaming-related tools and cheats. Common “cheats” seen by Sophos researchers include modifications that allow players to disable an opponent or to access premium features for free – usually for a popular online game such as Minecraft, Fortnite, Roblox, and Grand Theft Auto. The researchers also found a lure that offered gamers the chance to test a game in development.
  2. Information-stealers are the most prevalent threat, accounting for more than 35% of the malware seen. More than 10% of the malware Sophos detected on Discord belongs to the “Bladabindi” family of information-stealing backdoors. Sophos researchers found several password-hijacking malware, including Discord security token “loggers” built specifically to steal Discord accounts. In another instance, the researchers found a modified version of a Minecraft installer that, in addition to delivering the game, installs a “mod” called “Saint.” Saint is, in fact, spyware, capable of capturing keystrokes and screenshots as well as images directly from the camera on an infected device.
  3. Sophos researchers also found repurposed ransomware, backdoors, Android malware packages, and more. The analyzed files included several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offering victims the chance to get a decryption key.

The Android malware comprised backdoors, droppers, and financial malware designed to steal access to online bank accounts and cryptocurrency. Sophos researchers also noticed that a file advertised as a “multitool for Fortnite” loads a Meterpreter backdoor and found many copies of a widely used stealer malware known as Agent Tesla that, once in place, also offers remote access to a victim’s computer and a platform to deliver other malware.

At a technical level, the researchers found some malware using the Application Programming Interface (APIs) of Discord “chatbots” to covertly communicate with and receive instructions from their command server. They also uncovered files that claim to install cracked versions of popular commercial software, such as Adobe Photoshop, and tools that claim to give the user access to the paid features of Discord Nitro, the service’s premium edition.

Staying safe on Discord

Sophos recommends that organizations using Discord for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ Discord accounts and ensure that all employees have up-to-date malware protection on any computer they use to access remote collaboration platforms for work-related projects.

Sophos Intercept X protects business users by detecting the actions and behaviors of malware, while Sophos Firewall inspects encrypted Transport Layer Security (TLS) traffic – now used by half of all malware for communications, according to Sophos research.

Sophos also advises consumers to install a security solution on the devices that they and their families use for online communications and gaming, such as Sophos Home, to protect everyone from malware and cyberthreats. It is also good security practice to avoid downloading and installing unlicensed software from any source, even if it seems to come from a known source.

Advertisement. Scroll to continue reading.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Kaspersky has been at the forefront of raising awareness about cybercrimes and empowering individuals and organizations to protect themselves.

HEADLINES

“We remind our customers to carefully inspect URLs before opening them. Criminals often use spellings very close to legitimate domains to deceive customers into...

HEADLINES

For the Philippines, PH-CERT and NADPOP estimate that the country needs 180,000 trained and validated cybersecurity professionals to proactively and effectively protect the country’s...

White Papers

46% of geo-distributed companies encountered network problems between one and three times per month, while 13% stated they experienced network challenges every week. The...

HEADLINES

“Data is the new oil. Cyber criminals steal personal information to defraud you or use your identity to victimize people close to you. Guard...

White Papers

According to the report, among organizations surveyed, 97% of those hit by ransomware over the past year engaged with law enforcement and/or official government...

HEADLINES

This development marks a major step forward in Globe's long-standing #PlayItRight advocacy to help promote and protect the country’s ₱1.6-trillion creative industry from the...

HEADLINES

Spoofing is a technique where fraudsters impersonate SMS channels to deceive recipients. The practice has seen a marked rise, especially in Metro Manila, with...

Advertisement