Posted on October 21, 2021 at 8:16 AM
Hackers Exploiting Discord Bots to Launch Malware Attacks
Because of a surge in users, VoIP, messaging, and digital communications platforms are increasingly targeted by threat actors. With most businesses and individuals transitioning towards virtual meetings, these platforms have become highly popular over the past year.
One of the most common platforms that facilitates the distribution of digital information across different platforms is Discord. This is a cross-platform app with over 19 million active servers. The platform is home to content such as gaming, arts, marketing, finance, sports and more. Statistics on this platform also shows that it has more than 150 million active monthly users.
A Check Point Research has shown that threat actors are now looking for ways to compromise this new technology. The research points to malware that can compromise anyone on Github. The malware can execute various transactions such as taking screenshots, downloading and executing additional files and keylogging. These compromises are done using the critical features of Discord.
Discord Bots used to Distribute malware
Discord Bots are developed to enable users to automate various functions using the Discord server. However, it has now emerged that these bots can also be used for malicious purposes, according to the research by Check Point.
According to Check Point Research, the Discord Bot API is among the ones that can be compromised and used to turn a bot into a Remote Access Trojan (RAT). It does not require downloading for this malware to be integrated into this bot and into a user’s device.
This malware goes undetected because the communication between the Discord server, the victim’s device, and the attackers is encrypted. According to the research, this encryption can give threat actors an easy avenue of compromising devices and turning these devices into malicious bots.
In the report, the researchers stated that “The Discord API does not require any type of confirmation or approval and is open for everyone to use. Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. Preventing Discord malware can’t be done without harming the Discord community. As a result, it’s up to the users’ actions to keep their devices safe.”
The research pointed out several instances where the attackers exploited Discord and disguised it as a malicious file hoisting service. The research further noted that Discord’s functionality made it very easy for the systems to be compromised. The researchers stated that any file size 8MB and below could be uploaded and sent to other systems using Discord. The platform does not analyze content, making it easy for malware to be spread using this system.
The research also stated that “As Discord’s cache is not monitored by modern AVs, which alert a user in case a received file is considered malicious, the files remain available for download. Until relevant mechanisms are implemented, users must apply safety measures, and only download trusted files.”
Uses Malware Easily Available on the Internet
The Check Point research also included some preliminary analysis of the malware used, with the result of this research showing the different capabilities that could have been developed using basic functions on the Python programming language. The malware and bots used by the attacks can also easily be located on the internet.
The malware has also not been developed using one language but has been written using cross-platform language. This makes the malware able to work across different systems, including Linux, OSX and Windows.
An example of malware that was detected on this platform is DiscordRootKit. The malware has been written in Python, and it has a wide range of functionalities such as opening a shell on the victim’s device, finding different browser tokens, taking screenshots, taking webcam screenshots from the device’s camera and keylogging.
Check Point further stated that the malware could be used to “add a backdoor to Discord’s index.js file. This is for persistence purposes. Discord has file integrity checks for its files, but the index.js file is an exception. This allows the malware to implement a backdoor in the file which remains undetected (this specific payload is also not detected by different antiviruses). This can be used to run arbitrary code on the client with user privileges once Discord is opened by the user (if it exists on the system).”
Check Point has not elaborated on the measures that Discord users can take to prevent them from falling victim to these attacks. However, the means of online precaution remain the same, including using strong firewalls to ensure users protect their devices from any form of malicious attacks.