27 Unique Malware Deliverables Discovered from Discord CDN Abuse
- Studies have shown Discord has 27 unique malware deliverables on its CDN and channels.
- Varieties include backdoors, password stealers, spyware and trojans.
- Trojans are the most common of all these malware types.
Discord is arguably the most popular VoIP, instant messaging, and digital distribution platform for gaming, animation, and other related entertainment industries. Recent discoveries in cybersecurity have indicated that Discord's 140 million users might be in danger of targeted malware attacks.
Discord users are allowed to sort channel by topic and attach all types of files. This includes images, docs, other files, and even executables. All this data is stored on Discord's Content Delivery Network (CDN) servers. Studies have shown that a lot of these files are malicious in nature, and some channels are created simply to distribute these corrupted files.
RiskIQ aggregated the number of channels and hashes marked as VirusTotal. An investigation included 100 into the malicious content deliverable category. They also detected over eighty files from seventeen malware families, with the most common belonging to trojan families. Most channels will have one file for distributing malicious content.
According to Microsoft's detection and further research, Discord has 27 unique malware families basically divided into four types.
- Backdoors: AsyncRat, Bladabindi, QuasarRAT
- Spyware: Raccoon Stealer
- Trojan: AgentTesla, AZORult, ClipBanker, Clipper, CryptInject, DefenseEvasion, Dridex, Formbook, Grwtpia, Mokes, NanoBot, Phonzy, RelineStealer, Sabsik, Tiggre, Wacatac, Woreflint
- Password Stealers(PWS): DarkStealer, Dcstl, Mercurial, Mintluks, RedLine
One example is a channel's ID associated with zoom-download[.]ml which prompts users to download a Zoom plugin for MS Outlook but sends over Dcstl password stealer instead. Another channel hosted a Raccoon password stealer file from a Taplink domain which is used for hosting micro landing pages used for directing individuals to Instagram or other social media pages. AsyncRAT backdoor tricks the user into downloading what they believe as Discord Nitro to enhance text chat, voice, and video, but they end up getting infected.
