A new wave of Discord malware is on the rise - here’s what you need to know

APTs have started abusing Discord to deliver infostealers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Advanced Persistent Threats (APT) have been observed abusing Discord to target critical infrastructure in Ukraine and steal sensitive data.

This is according to a new report from Trellix, whose researchers said this was the first time an APT (which are usually state, or state-sponsored groups) abused the popular communication and collaboration platform to exfiltrate information.

According to the report, an unnamed threat actor was engaged in a phishing attack, in which it distributed a OneNote file named “dobroua.one” - a typosquatted name of the Ukrainian non-profit organization dobro.ua. The file urged the reader to make a donation to the Ukrainian cause and offered a button named “Support”. Clicking it runs an embedded Visual Basic Script (VBS) which, after a few steps, starts exfiltrating data via Discord’s webhook.

Highly targeted attacks

On Discord, a webhook is a utility designed to send messages to text channels without the need for the Discord application. It is also an automation feature that, in this particular instance, allows the attacker to send files and other data stored on the victim’s machine.

Trellix believes the attack is highly targeted, as in its telemetry it hasn’t seen any further related samples. “This suggests the attack was targeting only the Ukrainian critical infrastructure organizations where the sample was recovered, and any further stages apart from the ones described could not be retrieved,” they explained.

It’s also worth mentioning, the researchers say, that the campaign was probably in its earlier stages, as the final payload was all about gathering system information. “The actor could deliver a more sophisticated piece ofmalwareto the compromised systems in the future by modifying the file stored in the GitHub repository,” the researchers warn.

One of the reasons Discord isn’t being used by APTs on a bigger scale is the lack of complete control over the C2 server. Should they be compromised, Discord can terminate their account at any time, potentially cutting off access to any sensitive information they might have obtained in the meantime.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand