27 Unique Malware Deliverables Discovered from Discord CDN Abuse

  • Studies have shown Discord has 27 unique malware deliverables on its CDN and channels.
  • Varieties include backdoors, password stealers, spyware and trojans.
  • Trojans are the most common of all these malware types.

Discord is arguably the most popular VoIP, instant messaging, and digital distribution platform for gaming, animation, and other related entertainment industries. Recent discoveries in cybersecurity have indicated that Discord's 140 million users might be in danger of targeted malware attacks.

Discord users are allowed to sort channel by topic and attach all types of files. This includes images, docs, other files, and even executables. All this data is stored on Discord's Content Delivery Network (CDN) servers. Studies have shown that a lot of these files are malicious in nature, and some channels are created simply to distribute these corrupted files.

RiskIQ aggregated the number of channels and hashes marked as VirusTotal. An investigation included 100 into the malicious content deliverable category. They also detected over eighty files from seventeen malware families, with the most common belonging to trojan families. Most channels will have one file for distributing malicious content.

According to Microsoft's detection and further research, Discord has 27 unique malware families basically divided into four types.

  • Backdoors: AsyncRat, Bladabindi, QuasarRAT
  • Spyware: Raccoon Stealer
  • Trojan: AgentTesla, AZORult, ClipBanker, Clipper, CryptInject, DefenseEvasion, Dridex, Formbook, Grwtpia, Mokes, NanoBot, Phonzy, RelineStealer, Sabsik, Tiggre, Wacatac, Woreflint
  • Password Stealers(PWS): DarkStealer, Dcstl, Mercurial, Mintluks, RedLine

One example is a channel's ID associated with zoom-download[.]ml which prompts users to download a Zoom plugin for MS Outlook but sends over Dcstl password stealer instead. Another channel hosted a Raccoon password stealer file from a Taplink domain which is used for hosting micro landing pages used for directing individuals to Instagram or other social media pages. AsyncRAT backdoor tricks the user into downloading what they believe as Discord Nitro to enhance text chat, voice, and video, but they end up getting infected.

 AsyncRAT hosted on Discord's CDN.

REVIEW OVERVIEW

Latest

Will There Be a Money Heist Season 6 on Netflix?

As Money Heist came to an end on December 3, it left fans wondering what would happen next. Even though this was...

How to Watch Atlanta Hawks Games Online Without Cable

The Atlanta Hawks are one of the most exciting teams in the NBA, with a great core of talented young players and...

Android Users Now Have Access to Google Photos’ Locked Folder

The Google Photos 'Locked Folder' is rolling out to Android and older Pixel devices that didn't get it at launch.This feature lets...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari