The onset of the pandemic has elevated the use of online services. People of all ages turned online for school and work, to stream videos, play video games, have a virtual get-together, and engage in many other activities. Cybercriminals took note of this and launched new campaigns targeting online users and gamers as well. One thing that many of these campaigns share in common is the fact that cybercriminals have begun leveraging the group-chatting platform Discord as a CDN for hosting their malicious payloads.
What does the research say?
In a new report, Zscaler’s ThreatLabZ team revealed the widespread use of the service to host multiple payloads, including the Epsilon ransomware, Redline stealer, XMRig miner, and Discord token grabbers.
Many of these campaigns relied on the cdn.discordapp.com service for their infection chain.
Malicious files were renamed as pirated software or gaming software to trick gamers.
To make it look more convincing, cybercriminals used file icons related to popular games.
When Discord is itself a target
In late January, researchers uncovered three malicious software packages published on the npm open-source repository.
The packages, named an0n-chat-lib, discord-fix, and sonatype, shared similarities with CursedGrabber Discord malware and were designed to steal tokens and other information from Discord users.
The stolen token, in turn, would allow the attackers to hack the server.
When Discord becomes an attack vector
Scam artists seeking ways to make easy cash, targeted Discord servers in a cryptocurrency giveaway scam.
The scammers entered into Discord servers and sent private messages to users that appeared to be from new and upcoming cryptocurrency exchanges.
This new trend in scams that leverage Discord servers explains the far-sightedness of cybercriminals aiming for more victims in less time.
Discord is a chatting platform built primarily for gamers. Over the years, the platform has become increasingly popular among other professional communities for sharing information and this is no secret. Threat actors are now relying on the Discord app to host malicious files. Due to the static content distribution service, it remains publicly accessible even after removing actual files from Discord.