Cybercriminals have long targeted cloud-based instant messaging service which provide easily communication between users. One of the these services that was recently leveraged by hackers is Discord, The platform is now being extensively used to spread phishing and malware.

VoIP, instant messaging and digital distribution is available from Discord and, due to this, it was used by gaming community before gaining more popularity among a wider variety of users. 150 million users worldwide were registered during 2019 and the surge in membership has continued since then. Additionally, the service has, for some time, been use by cybercriminals vie the platform’s live chat feature for selling and trading stolen data, anonymous communications, and to act as C2 servers for communicating with malware-infected devices.

Throughout 2021, the service has been widely used for sharing malware variants including information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the cdn.discordapp.com service.

Similar to other collaboration apps, Discord uses content delivery networks (CDNs) for storing shared files within channels. Hackers can place malicious files on Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing begins with https://cdn.discordapp.com/ so anyone who is sent the link will see that the link is for a legitimate site. While there are controls to stop malicious files from being uploaded, in a lot of cases hackers can bypass those protections have get their malicious files hosted, and alerts are not always shown to users about the risk of clicking on files from Discord.  Since the malicious payloads are sent over  encrypted HTTPS, the downloads can be masked from security solutions.

Additionally, once uploaded, the malware can be removed from a thread, but it is still accessible using the public URL. Users are often fooled into installing these malicious files under the guise of pirated software or games. Gamers have been focused on as their PCs typically have a high spec for gaming, which makes them perfect for cryptocurrency mining.

This style of malware campaign means that malware developers and distributers can simply share their malicious payloads with a high degree of anonymity. A review by Zscaler discovered over 100 unique malware samples from Discord in the Zscaler cloud in just a two-month time space. Another review of Discord CDN results discovered approximately 20,000 results on VirusTotal.

The Discord app is also easy to configure to carry out malicious actions. Malicious JavaScript code can simply be added to the legitimated Discord client files and can be set up and run every time the client is initiated or when specially designed URLs are opened by the client.

Discord is not the sole communication and collaboration solution to be leveraged by hackers. Slack and Telegram are also being abused in phishing campaigns and for malware campaigns.

If you would like to enhance email security get in touch with TitanHQ now to discover more about these award-winning cybersecurity solutions.