A hot potato: When it comes to “abuse” in relation to the popular instant messaging service Discord, it is usually the group chat platform used by trolls or for hateful and NSFW content. But Discord’s content delivery network (CDN) is now increasingly used to host malicious files and distribute malware via links that appear to be legitimate.
A report from Sophos has exposed the scale and variety of malware that the Discord CDN uses: “Sophos products were detected and blocked, in the last two months alone, almost 140 times the number of detections during the same period in 2020,” said the authors Sean Gallagher and Andrew Brandt. with 17,000 unique URLs found pointing to malware in Q2 2021.
And those 17,000 URLs only count malware hosted by the service, which keeps files on Google Cloud and uses Cloudflare as its interface. The large figure excludes malware hosted elsewhere that makes use of the infrastructure provided by the CDN; Discord’s chatbot APIs have been used to command and control malware on infected targets, as well as to filter stolen data on private servers.
The malware used by the platform varies, but according to the authors, most focus on data theft, either through direct credential theft or Remote Access Trojans (RATs). Threats targeting Android platforms were also seen, ranging from users clicking ads to banking Trojans, as well as expired ransomware that had no way to pay attackers.
Discord is a popular messaging platform that was originally aimed at gamer communities, and they continue to have a substantial presence on the platform, so it is not surprising that many of the malicious files hosted and distributed on it are linked to games.
For example, the researchers identified a modified Minecraft installer that also captured keystrokes, screenshots, and camera images, as well as a “multitool for FortNite” (sic) that infected systems with a Meterpreter backdoor.
Others targeted Discord, stealing credentials and authentication tokens, or masquerading as software ranging from private browsers to cracked Adobe applications.
Social engineering was often a factor as well, promising to generate keys for Discord’s premium nitro service that is commonly used to entice users. One example immediately tried to find and kill processes for dozens of security tools, as well as built-in Windows protection features, though if it’s any consolation, like the ransomware mentioned above, many of these Trojans were old enough to try to phone. home to servers that weren’t available to respond.
Ultimately, the freemium model Discord relies on for accessibility works against you here. While many quality-of-life features desirable to benign users have a paywall behind Nitro, free accounts can still upload files (albeit with a size limit) and communicate with their APIs.
This allows threats to appear again and again with new accounts; While Discord removed much of what the researchers identified, they found that new malware was continually being loaded or communicated with Discord.