Discord Exploited as a Battleground by Nation-State Hackers, Target Critical Infrastructure

In the latest development concerning the misuse of legitimate digital infrastructure for malicious purposes, a recent study has revealed the involvement of nation-state hacking groups in utilizing the popular social platform Discord to target critical infrastructure.

Details to Know

Discord has emerged as an attractive target in recent years, offering a conducive environment for hosting malware through its content delivery network (CDN). 

Additionally, it enables the theft of sensitive data from the application and facilitates data exfiltration using webhooks.

Trellix Analysis

According to researchers at Trellix, Discord has predominantly been exploited by information stealers and data collectors that are readily accessible online. 

They highlighted the potential shift in this trend, given their discovery of an artifact aimed at Ukrainian critical infrastructure. It’s important to note that no definitive evidence links this artifact to a known threat group.

“The emergence of advanced persistent threat (APT) malware campaigns that leverage Discord’s functionalities adds complexity to the evolving threat landscape.”

Discord Abuse

Further analysis by Trellix reveals that Discord’s CDN is frequently used by various malware families, including SmokeLoader, PrivateLoader, and GuLoader, to download subsequent-stage payloads. 

Some joint malware families observed using Discord webhooks for malicious purposes include Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT.

Malicious actor shares fake WinRAR exploit on GitHub to distribute Venom RAT malware. Beware!

— 𝓐𝓷𝓭𝓻𝓮𝓮𝕏 🔴💨 (@BowInvest) October 7, 2023

Exploiting Discord’s CDN as a distribution mechanism for additional malware payloads highlights the adaptability of cybercriminals in exploiting collaborative applications for their own gain. Advanced persistent threats (APTs) are recognized for their sophisticated and targeted attacks. 

By infiltrating widely used communication platforms like Discord, they can effectively establish long-term footholds within networks, thereby jeopardizing critical infrastructure and sensitive data.

Securing Critical Infrastructure

The platform’s inherent capabilities, particularly its content delivery network (CDN) and webhooks have become prime targets for hosting malware, stealing valuable data, and facilitating data exfiltration.

Establishing a global cybersecurity alliance, information sharing, and collaborative research can empower nations and organizations to stay ahead of emerging threats.