Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

How hackers exploit Discord: A case study

Recent research has detailed how hackers have been able to leverage Discord’s integrations for financial and political gain.

user icon
Mon, 17 Apr 2023
How hackers exploit Discord: A case study
expand image

A recent research paper by identity security provider CyberArk has illuminated how cyber threat actors have been able to leverage Discord’s API integrations to disseminate malware.

The platform, currently used by some 300 million people, bills itself as a “place to talk and hang out”. Since its creation in 2015, it has become popular among online communities — from gamers through to political groups — enabling people to communicate with one another via text and speech.

The platform has courted controversy in the past. In 2020, Vice reported on an internet leak of nearly 10 million messages from some 100 neo-Nazi and QAnon Discord servers.

============
============

Despite the platform’s history with such groups, the recent CyberArk research uncovered how malware groups are using Discord’s Content Delivery Network to distribute malicious payloads.

According to the cyber security provider, hosting malicious payloads on Discord behind HTTPS has challenged programs in determining what payloads are safe and which are malicious.

“Being hosted on a popular service and protected by HTTPS makes the process of differentiating between the malicious and benign files a difficult task,” the research determined.

So what are some methods that malicious actors are currently using? One key method that some malicious actors are using is exploiting the source code of the platform.

“A method that has recently risen in popularity is injecting a payload into Discord’s source code. This is possible due to the fact that Discord is an [ElectronJS] app written in NodeJS,” the CyberArk research determined.

“ElectronJS is a framework that allows the creation of desktop apps that are in essence a NodeJS-based website running locally in a Chromium browser. All of the source code for the app is hosted locally in plaintext and is not checked for tampering prior to execution.”

While undertaking this research, CyberArk uncovered potentially new cyber gangs that are actively targeting users.

Examining one malware that was discovered in September 2022, researchers saw how cyber criminals leveraged Discord as a communications vector and a source of financial gain.

Dubbed Vare, the investigation traced details of the code back to a GitHub account for which the “starred projects are all Discord malware-related”. Further findings then appeared to illuminate that the malware developers focused on finding Discord Nitro gift keys which can then be sold.

The group, dubbed Kurdistan 4455, is alleged to have created a malware that would examine an individual’s web browser, Discord and network information before sending “all collected information through a Discord webhook”.

According to the CyberArk research, the primary drivers for the cyber threat actors were twofold.

“The first motivation is monetary, as they tried selling Discord Nitro to users at a discounted rate — a common way to launder money from stolen credit card data on the platform,” they wrote.

“The second motivation is hacktivism. Based on their ideology and their origin, we assume this stems from the longstanding conflict between Turkey and the Kurdistan people.”

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.