CyberArk’s David El explains the Discord features that make users on the social platform vulnerable to cyberattacks.
The increasing use of malware to perform ransomware attacks and gain access to a company’s computer system is an ongoing issue. In 2022, 75pc of organisations experienced a malware attack, and ransomware payments nearly doubled, causing significant disruption within businesses.
With more than 140m monthly active users, Discord is a popular online chat service, initially aimed at gaming communities, but now appealing to a wider community due to its multiple features and ease of use. Developers can use Discord to build apps easily, saving them time to focus on more advanced tasks.
However, Discord’s ease of use also benefits attackers who have found ways to misuse its features to develop malware more easily, while making it harder to detect and mitigate against. With the number of malware attacks rising continuously, it is important to raise awareness. Users must understand the common attack methods employed on Discord to protect themselves.
Discord Nitro and the rise of malware
The origins of malware on the platform can be traced back to the release of Discord Nitro, which allowed users to send larger files and longer messages, and access higher quality video streaming.
As with many premium features, Discord Nitro became highly desirable amongst users, inspiring some to try to get it without paying. This led users to resort to nefarious methods to obtain Nitro, such as brute-forcing gift keys and social engineering.
Eventually, some users took this approach one step further, operating malware to target others on the platform, steal their credit card information and remotely purchase Discord Nitro gift keys. These gift keys can be used to acquire Discord Nitro, so malicious actors are reselling them to make profit while victims have no idea what is happening.
Exploitable features
Malware operators have various strategies in place to make it almost impossible for users to detect threats. One strategy is to use a Content Delivery Network – a file hosting service which offers high availability and uptime – to host payloads their tools can download and run. Having these payloads hosted on a popular service and protected by HTTPS makes it difficult to differentiate between malicious and benign files.
Another tool employed by malware operators is Command and Control (C&C) communication over Discord’s API. The API allows straightforward communication between users on the platform and the program. As a result, implementing C&C communication over the API is a simple task. Because it is connecting with a single endpoint that can be accessed through legitimate services, this type of C&C communication is difficult to monitor and mitigate against.
Webhooks, introduced in 2020, is another Discord feature that is now used with malicious intents. This feature allows server owners to create a webhook for any channel they own and send messages to it through the webhook, via a simple HTTPS request. This feature is a great way to inform users of specific operations safely and quickly. It was originally designed to execute actions such as notification of a new git pull request, but attackers have started misusing this feature to exfiltrate stolen data from their targets.
User data at risk
Another method which has recently risen in popularity is injecting a payload into Discord’s source code, which is possible because all of the source code for the app is hosted locally in plaintext and isn’t checked for tampering prior to execution.
This method is also used because of persistence – as the payload is part of Discord’s app source code, it gets executed at the app’s start, which is usually at logon, and because it connects with Discord’s clients – malware operators can impersonate targets and forge requests in the victim’s name. This enables malware operators to take actions such as exfiltrating all private conversations, creating fake messages and buying Discord Nitro gift keys.
This is a popular way to steal money without leaving an easy trace to follow. While this approach might sound appealing, there are several drawbacks — for example, the option to inject code into Discord might be removed when new updates are released, and this method requires an initial ‘injector’ to insert the payload into the app’s source code.
Using GitHub to develop malware
There is a growing trend of developing malware to target Discord (usually called ‘Discord Stealer’) on GitHub directly, allowing operators to easily take a repository, clone it, compile it and, within minutes, have a functioning malware sample they can use to infect victims.
Our research into Discord revealed that 44.5pc of repositories are written in Python and are standalone malware, and 20.5pc are written in JavaScript, and these repositories mainly take the approach of injecting code into Discord. This approach has become more popular in the past few years.
The threat continues to grow
It is easy for attackers to leverage Discord’s infrastructure maliciously. Sadly, the phenomenon is only growing in popularity. With Discord being such a popular platform among corporate developers, organisations are facing more challenges as there is a high risk that an undetectable piece of malware will infect their endpoints.
As Discord continues to grow, we can only expect threat actors to perform more advanced and complex malware attacks, improving their capabilities to exploit Discord’s infrastructure. Additionally, similar approaches may be used to target other online chat services.
By David El
David El is a cybersecurity researcher at CyberArk, He specialises in creating and maintaining scalable solutions to detect malware and malicious behaviour.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.