Alarming Security Report Claims Discord Is A Breeding Ground For Hackers And Malware

hackers using discord to stage malware and exfiltrate data 01'
Discord is a great voice, text, and video platform that allows friends, family, and communities of all types to connect in a common space. However, it’s been known that Discord has been used for some terrible things, such as the massive leak of intelligence from the U.S. Pentagon. Now, threat actors are leveraging the interconnectivity to further their hacking operations and steal data with ease.

Earlier this week, researchers from Trellix posted a blog outlining what they call “The Discord Issue.” Ernesto Fernández Provecho and David Pastor Sanz explain that it is a two-pronged problem, consisting of malicious software abusing Discord to download files and exfiltrate information once a host is infected. With respect to the former, Discord’s content delivery network (CDN) allows attackers to upload any file with a user account that they create. The attacker can send this file to other users or a group as soon as they get a shareable link for the file. Then, this file can be retrieved by someone clicking on it or another piece of software in the infection chain.

hooks hackers using discord to stage malware and exfiltrate data
An example of a webhook being used to send text to a Discord channel.

Concerning the latter piece, exfiltration, Discord has an automation feature called webhooks, which are traditionally used for bots, announcements, or alerts of varying types. However, a threat actor could use this feature to send text, files, or other data back to a command-and-control style Discord server.

umbral hackers using discord to stage malware and exfiltrate data
The open-source Umbral stealer asks for a Discord Webhook to send information to

However, major advanced persistent threat (APT) groups are not using Discord for staging malware and exfiltrating information. The researchers report that the Discord abuse, by and large, is “limited to information stealers and grabbers that anyone can buy or download from the Internet.” This is subject to change, though, and it would seem there are outlier APTs potentially using Discord as is, thus making this somewhat concerning. It should be noted, though, that Discord is only the new and shiny thing replacing IRC for threat actors who have been using chat rooms for years.

In any event, given the abuse of Discord, Trellix recommends that security teams and tools monitor and control Discord communications, blocking them if necessary. However, that could be quite a tall task, so we should perhaps look to Discord to lock down some of the malicious activity going on under its nose.