Sophos has published new research on how malware is increasingly targeting the Discord chat platform. The cyberthreats uncovered by Sophos include information stealing malware, spyware, backdoors, and ransomware resurrected as “mischiefware.”
The findings are based on Sophos researchers’ analysis of more than 1,800 malicious files detected by Sophos telemetry on the Discord Content Management Network (CDN), and are detailed in a new SophosLabs Uncut article, “Malware Increasingly Targets Discord For Abuse.”
Among other things, the research reveals how the number of URLs hosting malware on Discord’s CDN during the second quarter of 2021 increased by 140% compared to the same period in 2020, according to Sophos telemetry.
According to Sean Gallagher, senior threat researcher at Sophos, “Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware – in much the same way attackers have used Internet Relay Chat and Telegram.
“Discord’s vast user base also provides an ideal environment for stealing personal information and credentials through social engineering.”
“These scams are not harmless – we found one malware that can steal private images from the camera on an infected device, as well as ransomware from 2006 that the attackers have resurrected to use as ‘mischiefware.’ The mischiefware denies victims access to their data, but there’s no ransom demand and no decryption key.
“Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed.
“Discord users, whoever they are and whatever they use the platform for, should remain vigilant to the threat of malicious content that’s lurking within the service and not just leave it to the Discord platform to identify and remove suspicious files.
“In addition, IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere.”
The Sophos investigation into malicious content linked to Discord found the following:
- The malware is often disguised as gaming-related tools and cheats. Common “cheats” seen by Sophos researchers include modifications that allow players to disable an opponent or to access premium features for free – usually for a popular online game such as Minecraft, Fortnite, Roblox, and Grand Theft Auto. The researchers also found a lure that offered gamers the chance to test a game in development.
- Information-stealers are the most prevalent threat, accounting for more than 35% of the malware seen. More than 10% of the malware Sophos detected on Discord belongs to the “Bladabindi” family of information-stealing backdoors. Sophos researchers found several password-hijacking malware, including Discord security token “loggers” built specifically to steal Discord accounts.
- Sophos researchers also found repurposed ransomware, backdoors, Android malware packages, and more. The analysed files included several types of Windows ransomware being spread by attackers that block access to data without making a ransom demand or offering victims the chance to get a decryption key.
The Android malware comprised backdoors, droppers and financial malware designed to steal access to online bank accounts and cryptocurrency
Staying safe on Discord
Sophos recommends that organizations using Discord for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ Discord accounts and ensure that all employees have up-to-date malware protection on any computer they use to access remote collaboration platforms for work-related projects.
Sophos also advises consumers to install a security solution on the devices that they and their families use for online communications and gaming to protect everyone from malware and cyberthreats.
It is also good security practice to avoid downloading and installing unlicensed software from any source, even if it seems to come a known source.