Alarming Security Report Claims Discord Is A Breeding Ground For Hackers And Malware
Earlier this week, researchers from Trellix posted a blog outlining what they call “The Discord Issue.” Ernesto Fernández Provecho and David Pastor Sanz explain that it is a two-pronged problem, consisting of malicious software abusing Discord to download files and exfiltrate information once a host is infected. With respect to the former, Discord’s content delivery network (CDN) allows attackers to upload any file with a user account that they create. The attacker can send this file to other users or a group as soon as they get a shareable link for the file. Then, this file can be retrieved by someone clicking on it or another piece of software in the infection chain.
Concerning the latter piece, exfiltration, Discord has an automation feature called webhooks, which are traditionally used for bots, announcements, or alerts of varying types. However, a threat actor could use this feature to send text, files, or other data back to a command-and-control style Discord server.
However, major advanced persistent threat (APT) groups are not using Discord for staging malware and exfiltrating information. The researchers report that the Discord abuse, by and large, is “limited to information stealers and grabbers that anyone can buy or download from the Internet.” This is subject to change, though, and it would seem there are outlier APTs potentially using Discord as is, thus making this somewhat concerning. It should be noted, though, that Discord is only the new and shiny thing replacing IRC for threat actors who have been using chat rooms for years.
In any event, given the abuse of Discord, Trellix recommends that security teams and tools monitor and control Discord communications, blocking them if necessary. However, that could be quite a tall task, so we should perhaps look to Discord to lock down some of the malicious activity going on under its nose.