Threat Actors Abusing Discord to Spread Malware

Researchers have discovered new multi-function malware abusing the core functions of popular group app platform Discord.

Check Point explained in a blog post this morning that it found several malicious GitHub repositories featuring malware based on the Discord API and malicious bots. It included various features, including keylogging, taking screenshots and executing files.

Discord bots help users automate tasks on the Discord server. However, they can also be used for malicious ends, the researchers warned.

For example, the Discord Bot API can easily be manipulated to turn a bot into a simple Remote Access Trojan (RAT). This doesn’t even require the Discord app to be downloaded to a target’s machine.

What’s more, communications between attacker, Discord server and victim’s machine are encrypted by Discord, making it much harder to detect any malware, Check Point claimed. It said that this could provide attackers with an “effortless” way to infect machines and turn them into malicious bots.

“The Discord API does not require any type of confirmation or approval and is open for everyone to use,” the researchers wrote.

“Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. Preventing Discord malware can’t be done without harming the Discord community. As a result, it’s up to the users’ actions to keep their devices safe.”

Check Point also found dozens of instances where threat actors used Discord as a malicious file hosting service, with their privacy protected by the app.

“As of now, any type of file, malicious or not, whose size is less than 8MB can be uploaded and sent via Discord. Because the file content isn’t analyzed, malware can be easily spread via Discord,” it concluded.

“As Discord’s cache is not monitored by modern AVs, which alert a user in case a received file is considered malicious, the files remain available for download. Until relevant mechanisms are implemented, users must apply safety measures and only download trusted files.”

What’s Hot on Infosecurity Magazine?