Users of the Discord platform may think they are downloading game cheats or hacked software, but may end up being ransomed.

Do you use the Discord app to access a platform for low-latency voice chats, private messaging and themed-discusions?

The platform has attracted a range of miscreants creating information stealing malware, spyware, backdoors, and ransomware resurrected as ‘mischiefware’, according to new research by Sophos.

Among other things, the research reveals how the number of URLs hosting malware on Discord’s Content Management Network (CDN) in Q2 2021 had increased by 140% compared to the same period last year, according to analysis of more than 1,800 malicious files detected by Sophos telemetry. 

Here are some of the findings:

  1. Malware is often disguised as gaming-related tools and cheats in Discord. The researchers also found a lure that offered gamers the chance to test a game in development.
  2. 35% of malware were information-stealers. More than 10% of the malware on Discord belonged to the Bladabindi family of information-stealing backdoors. Researchers also found several password-hijacking malware, including Discord security token ‘loggers’ built specifically to steal Discord accounts. In another instance, researchers found a modified version of a Minecraft installer that, in addition to delivering the game, installs a ‘mod’ called ‘Saint’, a spyware capable of capturing keystrokes and screenshots as well as images directly from the camera on an infected device. 
  3. Lurking: repurposed ransomware, backdoors, Android malware packages, and more. The files from Discord analyzed for malicious content included several types of Windows ransomware. Android malware were found to comprise backdoors, droppers and financial trojans designed to steal access to online bank accounts and cryptocurrency. A file advertised as a ‘multitool for FortNite’ actually loads a Meterpreter backdoor, and the stealer malware Agent Tesla that allows hackers to remotely access victims’ computers and deliver other malware, was rampant in Discord. 

At a technical level, the researchers found some malware using the Application Programming Interface (APIs) of Discord chat bots to covertly communicate with and receive instructions from their command server. Sophos also uncovered files that claimed to install cracked versions of popular commercial software, such as Adobe Photoshop, and tools that claimed to give the user access to the paid features of Discord Nitro, the service’s premium edition.

Said the firm’s senior threat researcher, Sean Gallagher: “Discord provides a persistent, highly-available, global distribution network for malware operators, as well as a messaging system that these operators can adapt into command-and-control channels for their malware—in much the same way attackers have used Internet Relay Chat and Telegram. Further, adversaries have caught on that companies increasingly use the Discord platform for internal or community chat in the same way they might use a channel like Slack. This provides attackers with a new and potentially lucrative target audience, especially when security teams can’t always inspect the Transport Layer Security-encrypted traffic (TLS) to and from Discord to see what’s going on and raise the alarm if needed.”

Discord users should remain vigilant to the threat of malicious content that is lurking within the service and not just leave it to the Discord platform to identify and remove suspicious files, said Gallagher.

In addition, IT security teams should never consider any traffic from an online cloud service as inherently ‘safe’ based on the trusted nature or legitimacy of the service itself. Adversaries could be hiding anywhere.