Success makes you sexy – apparently cyber criminals see it that way too.
In a new study, SophosLabs found out that Discord, a currently very successful service for voice, video and text communication with more than 150 million users worldwide, is increasingly used as a malware distribution platform. Sophos telemetry data shows that the number of URLs hosting malware on Discord’s content management network (CDN) has increased 140% in the last two months compared to the same period last year. The study “Malware increasingly targets Disord for abuse”is based on a detailed analysis of more than 1,800 malicious files detected on the Discord CDN and shows how cybercriminals use the popular platform to steal personal information and distribute other malware, including actually discarded ransomware used for sabotage and denial-of-service attacks are used.
“Discord offers a permanent, highly available and global distribution network for malware operators, as well as a messaging system that criminals can easily convert into command and control channels for their illegal activities,” said Sean Gallagher, Senior Threat Researcher at Sophos. “Discord’s huge user base provides an ideal environment for social engineering to steal personal and login information.”
“These scams are not harmless,” Gallagher continued. “We found malware that can steal private images from an infected device’s camera, as well as ransomware from 2006 that the attackers revived for use as ‘mixed hardware’. This type of malware denies victims access to their data, but there is no ransom note and no decryption key as with ransomware. “
The focus is not only on private users. The Sophos report suggests that cyber criminals are well aware that companies are increasingly using the Discord platform for internal or community chats. This development offers attackers a new and potentially lucrative target group, especially if security teams cannot always check the TLS traffic encrypted with Transport Layer Security to and from Discord and thus cannot detect potentially dangerous activities at an early stage.
The most important results of the Sophos Labs report at a glance:
- The malware is often disguised as game-related tools and cheats – often for popular online games such as Minecraft, Fortnite, Roblox or Grand Theft Auto. The researchers also found a lure that allowed gamers to test a game in development.
- Information theft is the most common threat, accounting for more than 35% of malware detected. The Sophos researchers found several types of malware that hack or exfiltrate passwords. For example, the modified version of a Minecraft installer that installs an “extension” called “Saint” in addition to providing the game. However, this is so-called spyware that can capture keystrokes and screenshots as well as images directly from the camera.
- The SophosLabs also found Android malware packages that install backdoors or droppers (independently executable program files that activate malware, for example) on the smartphone, as well as financial malware that is supposed to steal access to online bank accounts and cryptocurrencies.
Staying safe on Discord
“Discord users, regardless of whether they are private or business and what they use the platform for, should remain vigilant to the threat of malicious content, similar to the email inbox, and not just leave it to the provider to identify and identify suspicious files to remove, ”says Gallagher. “We also recommend installing a security solution such as Sophos Home on personal devices to protect against malware and other cyber threats.”
For companies using Discord for chat and collaboration in the workplace, we recommend using Multi-Factor Authentication (MFA). In addition, it should be ensured that all employees have up-to-date malware protection on their devices – especially those that they use to access remote collaboration platforms while at work. Additionally, IT security teams should never consider traffic from an online cloud service to be inherently “secure” due to the trustworthy nature or legitimacy of the service itself. Cyber criminals could be hiding anywhere.
All technical details and a further list of the widespread malware types can be found in the complete report “Malware increasingly targets Disord for abuse” to disposal.