Discord’s rise in popularity is also causing its CDN to be used for hosting, spreading and controlling malware, including several ransomware variants, game hacks, identity theft malware and even spyware and fake apps for Android phones.
In the course of a study investigating the use of TLS by malware, security researchers Sean Gallagher and Andrew Brandt found that roughly four per cent of all malware download comes from Discord. As a result, the service has become an increased place of interest for malicious threat actors.
Since Discord allows users to upload files on its CDN as message attachments, threat actors can upload various malware and other malicious files only to be used later.
Discord’s malware-laden CND includes malware that can steal passwords of specifically hijacked Discord accounts, leverage Discord Bots to steal information, game cheats/hacks and even variants of ransomware, among other spyware and fake apps.
What’s the play here?
Discord operates its CDN and even has an API for developers to create new ways of interacting with the CDN without necessarily going through the Discord app. The program also lets users upload files (up to 8MB for free accounts) and stores them on the CDN.
The problem is, most malicious files or malware slips by Discord’s malware checks and then stays there indefinitely unless it’s explicitly reported or deleted.
Discord servers have bots that can interact with servers and other apps, making it extremely easy to drop someone’s login credentials in your server casually.
Sophos Labs reported that in the past two months, their products had blocked or detected malicious traffic, which was almost 140 times the detected malware traffic in the same period last year. The company also claimed to have reported 9500 unique URLs hosting malware on the Discord CDN to Discord’s authorities.
“Abuse of Discord, like abuse of any web-based service, is not a new phenomenon, but it is a rapidly growing one”, the report added.
Games of all kinds for gamers of all kinds
According to the Sophos Labs reports, roughly 17,000 unique malware URL links were discovered in the second quarter of this year. 4700 of those URLs were still active and pointing to a malicious Windows .exe file when the report was published.
The malware found on Discord’s CDN includes different identity theft malware, including widely-used stealer malware known as Agent Tesla. There are variants of older ransomware software such as WinLock, Somhoveran / LockScreen and Petya, a crypto locker first seen in 2016.
The CDN also hosts 58 unique malicious Android apps, including several banking or finance-focused spyware or malware. One of the apps even included a transparent Metasploit framework meterpreter and a copy of the Anubis banker trojan. The files were disguised as legitimate-looking banking or game updating apps.
In the News: Weeks after the ransomware attack, Kaseya has a fix