CYFIRMA Research team has uncovered threat actors who have been abusing the Discord platform to carry out their nefarious cyber activities. The research also shows hackers using Discord as a communication platform, a marketplace to buy and sell tools, setup botnet and C2 servers, host malicious files, and more. Researchers from CYFIRMA have also learned that hackers are drawn to Discord for the following reasons: It provides free malware, ready-to use attack infrastructure, encrypted network traffic, bots for automation, and anonymity with private servers. This research paper outlines the ways hackers have used Discord as part of their attack infrastructure and the reasons why it has become an enabler of many cyberattacks.
All social media communication platforms are created to provide a unique
and user-friendly experience of connecting with other people. But once they attract a large enough user base, the same platforms are weaponized to exploit its users and non-users by cyber criminals through social engineering or by exploiting security gaps in the platform. Discord is no exception and thanks to its architecture that allows users to run their servers that are more or less independent of Discord control, it has been gaining popularity among various threat actors. Through this article, we shed some light on the different ways cybercriminals do abuse Discord, along with the setting up of a ‘Proof of Concept’ to use Discord as a C2 server capable of delivering payloads and exfiltrating data all while looking indistinguishable from a server put to legitimate use.
Discord is a large communication platform that initially gained popularity in the gaming community but has since expanded its user base far beyond that. It consists of topic-based servers and “Slack-like” channels through which users can communicate via text, voice chat, and video calls. These channels can be easily managed by custom automation bots to save admins and moderators a lot of hassle. However, they can just as easily manage C2 operations for threat actors. It also allows file sharing, both within the platform and outside the platform through Discord’s Content Delivery Network (CDN) servers. Threat actors can use the Discord CDN service effortlessly to host their malware while blending in with normal, benign encrypted network traffic. All the above translates into a free, easy-to-use, and powerful attack infrastructure that has proven to be tempting for a whole plethora of threat actors around the world.
Following is extract from Discord policy.
Discord proactively scans files hosted on its platform for malware, removes any hosted malware reported to it by users or security researchers, and attempts to identify groups of users who are abusing its tools for cybercriminal purposes. However, irrespective of these, the platform remains a malware dumping ground. Even if the malware is not hosted on Discord, the Discord API provides a breeding ground for malicious command & control network capability that hides in Discord’s TLS-protected network traffic. Moreover, Discord heavily relies on user reports of policy violations to initiate action.
During our research, we observed various cyber-attacks leveraging the Discord platform. In the following section, we will go over the specifics.
We discovered a remote access trojan (RAT) using the Discord service as a C2 server in a variety of open-source projects and dark web offerings. These RATs are capable of performing various adversarial activities like stealing cookies, saved credit cards, credentials, Discord tokens, MFA information, exfiltrating data files from a compromised system, and uploading additional payloads.
Cybercriminals take advantage of Discord by writing code with a ‘webhook’ that automatically relays information from infected devices to their ‘C2’ server via a Discord server. As Discord uses HTTPS to encrypt messages sent through its platform, these messages between Discord and the hacker’s server are difficult to track.
Discord, in addition to message and stream routing, serves as a content delivery network for all types of digital content. In its most basic form, message attachments are files uploaded by Discord users into chat or private messages. Discord stores file attachments in Google Cloud Storage; once a file has been uploaded as part of a message, it is accessible from anywhere on the web via a URL representing a storage object address.
A URL to host malicious payloads is as follows: (see figure 2) https://cdn.discordapp.com/attachments/ChannelID/AttachmentID/filename.exe
While Discord has some malware detection capabilities, many types of malicious content slip through the cracks. When users are caught, they can delete their accounts and create new accounts. Discord heavily relies on user reports of policy violations. However, they can go unreported when the Discord architecture is used for activities that are limited to targets outside of the Discord user community. Using VirusTotal, we discovered large numbers of malware hosted in Discord’s own CDN and malware interacting with Discord APIs to send and receive data.
One of the most common methods we have seen for deploying malware from Discord’s CDN is through social engineering, which involves posting files or links with deceptive descriptions in chat channels or private messages as an enticement to get others to download and execute them. Also, these links can be shared outside the platform to exploit non-users.
The victim’s system does not need to have Discord installed to be compromised. The attacker does not need to install anything other than malware on the victim’s machine, which they can do via phishing email. As an attacker uses Discord CDN as a malware-hosting solution, the attacker only needs to trick the victim into clicking a link shared in a phishing email that points to malware hosted on Discord CDN.
Threat actors use Discord to communicate and advertise their services and tools. As entry to private groups in Discord is based on invitations, threat actors have confidence and control over whom they accept or reject from entering their server.
While using GitHub to share malicious code is a story on its own, there are many repositories of malware based on Discord API and malicious bots with various capabilities (see figure 9) found on GitHub. We set up a “Proof of Concept” (PoC) demo to test the claimed capabilities of the malware. This PoC was conducted only for educational purposes, and no harm was done to any user or platform.
Setting up Discord Server as malicious C2 has proven to be way simpler than
expected provided the right set-of system, knowledge, and skill is at hand. As a result, even low-skilled TAs can easily leverage Discord as a very powerful and stealthy attack infrastructure for free.
Threat actors create malware with the help of GitHub Repositories which is an easy and cost-effective approach than buying malware in the underground forum from their counterparts or unknown malware developers where claimed functionality might not be working as promised by the developer. Meanwhile, by using open-source repositories threat actors can customize and enhance already developed malware to suit their requirements.
In this PoC, we created a malware executable file through PowerShell with the help of the GitHub repo. The created malware executable file was linked to our Discord server, which we set as a C2 server with the help of a Discord bot to relay communication through a webhook once the victim system is compromised by the malware that we created.
An attacker can upload a malicious file to a Discord channel and share the public link with others, including non-Discord users who can download it as well. Also, a file sent from Discord is permanent, so even if an attacker deletes a file within Discord, the link to the malicious file can still be used to download it. Furthermore, victim systems do not need to have Discord installed to be compromised.
Analysis of captured pcap is supporting our initial hypothesis, that traffic is completely encrypted and indistinguishable from legitimate user activity.
Checking DNS traffic provides one red flag from the defender’s point of view and that is IP check to provide information to attackers about the new victim. In this case, our DiscordRAT was configured to look at “geolocation-db.com” and the API of “ipify.org”.
DiscordRAT also allows for file transfer to either deliver another payload or exfiltrate data. Since it uses a Discord server and infrastructure, both download and upload speeds are pretty much what the victim’s bandwidth will allow. Furthermore, the typical use of Discord is multimedia heavy, where users share images and videos, etc. offering a good veil.
In our test, we uploaded and downloaded a simple ~5MB image and as you would expect, logs show just a long-encrypted data stream and TCP flow is the same mangled mess as fig 12
Unfortunately delivering payload or stealing data in reasonably small chunks appears to be undetectable without the ability to monitor decrypted traffic. Should the TAs do a rookie mistake of siphoning GBs of data all at once, then volumetric monitoring could do the trick.
One other clue for analysts investigating a possible incident involving Discord traffic could be the frequent occurrence of TCP Window Full and TCP ZeroWindow packets. These are packets implying actual file transfer rather than the typical use of Discord where multimedia is being viewed on Discord, but not downloaded. These packets are sent when the system is overwhelmed with data being transferred and needs to “take a break” to process the full packets and the same is dependent on multiple variables.
For comparison, here are stats from significantly longer typical user sessions. From the same host (without DiscordRAT running) our test user logged into their personal Discord through a web browser and viewed media content including videos.
DiscordRAT traffic is indistinguishable from legitimate use of Discord. Thanks to using legitimate services and infrastructure all malicious traffic is encrypted and transferred on high-speed CDNs provided by AWS and Cloudflare.
The only red flags are checks of the victim’s IP in DNS logs, suspiciously high data transfers, and too frequently sent TCP Window Full and TCP ZeroWindow packets implying file transfer rather than multimedia viewing.
While traffic analysis is offering a limited amount of indicators, endpoint logs look a lot more promising. All activities listed below are coming from the same DiscordRAT.exe process under identical PID.
First up is the creation of a custom entry in AppData
Followed by registry activity where DiscordRAT needs to touch-up Internet Settings
Storing CA certificates in the custom AppData folder
Saving certs in Common Files
Saving its python code
And finally showing files transferred
From the procmon logs, any analyst can see that this is suspicious activity. However, in this PoC test, we did not attempt to customize it for stealth. All file and path names are easy to change, and any skilled TA will know how to blend in.
Threat actors are abusing the Discord platform in a variety of ways; given the high degree of exploitability, it is best to avoid using Discord as a communication platform in an organizational environment unless there is a business justification.
When Discord is used as a collaboration tool, it is critical to raise awareness about potential cyber-attacks linked to Discord. Because humans are regarded as the weakest link in the cyber kill chain, the possibility of Discord users becoming victims of cyber-attacks via the platform itself is extremely high. Users should be aware of how to use the platform and possible attack types to avoid system compromise.
Because Discord is a legitimate collaboration platform, the possibility of threat actors using it to share a malicious link to deploy payloads is unavoidable. Users should only open email attachments, and URLs linked to Discord or uploaded files in the Discord channel if the source is someone they know or if they can verify the legitimacy of the source. When in doubt, never open attachments or click links shared from unknown sources.
Antivirus software can greatly aid in the prevention of malware installation by proactively blocking any suspicious downloads. AVs will help to protect users’ computers by preventing RATs and other types of malware from being downloaded and compromising the system.
A host-based intrusion detection system (HIDS) or a network-based intrusion detection system (NIDS) will both be beneficial in handling intrusion. HIDS or NIDS continuously monitors logs and data for malicious activity. This allows security analysts to correlate malicious activity with a device or host, allowing organizations to detect malicious activity faster.
If you see Discord traffic when Discord is not installed on your system/network, you may have been infected with Discord-based malware. Monitoring network traffic will aid in detecting suspicious activity triggered by Discord in this scenario.
Discord is a powerful and increasingly popular online social media platform. Thanks to its server-based architecture and powerful media sharing feature it can be abused as an almost perfect attack infrastructure by malicious threat actors.
Normally threat actors have to build and maintain their own servers or VPS, make sure they are anonymous, pay for them with cryptocurrencies, and so on. Once they are actively used, their domains and IPs are quickly blocked, and they have to move on to new ones.
Discord is free, easy to set up, and anonymous if used correctly. That’s what makes it so dangerous and popular among TAs.
|1||TA0043: Reconnaissance||T1598: Phishing for Information|
|2||TA0001: Initial Access||T1566: Phishing
T1078: Valid Accounts
|3||TA0002: Execution||T1059: Command and Scripting Interpreter
T1204: User Execution
|4||TA0003: Persistence||T1547: Boot or Logon Autostart Execution
T1078: Valid Accounts
|5||TA0004: Privilege Escalation||T1547: Boot or Logon Autostart Execution
T1055: Process Injection
T1078: Valid Accounts
|6||TA0005: Defense Evasion||T1222: File and Directory Permissions Modification
T1055: Process Injection
T1550: Use Alternate Authentication Material
T1078: Valid Accounts
|7||T1555: Credentials from Password Stores
T1056: Input Capture
T1528: Steal Application Access Token
|8||TA0008: Lateral Movement||T1550: Use Alternate Authentication Material|
|9||TA0009: Collection||T1074: Data Staged
T1056: Input Capture
T1113: Screen Capture
T1125: Video Capture
|10||TA0011: Command and Control||T1573: Encrypted Channel|
|11||TA0010: Exfiltration||T1041: Exfiltration Over C2 Channel|
|12||TA0040: Impact||T1565: Data Manipulation
T1490: Inhibit System Recovery
T1489: Service Stop