Hackers are exploiting Discord and Slack Links to supply Malware
Thank you very much a part global pandemicCollaborative platforms like Discord and Slack have taken an intimate stance in our lives, helping us maintain personal connections despite physical isolation. But their growing role has made it a powerful way to send malware to unwanted victims, sometimes in unexpected ways.
Cisco’s security department, Talos, released a new investigation on Wednesday, highlighting how collaborative tools like Slack and typically Discord during the Covid-19 pandemic have become useful mechanisms for cybercriminals. With increasing frequency, they are used to supply malware to victims as a seemingly reliable link. In other cases, hackers have integrated Discord to remotely control code running on machines infected with their malware, as well as steal data from victims. Cisco researchers have warned that one of the techniques they found does not exploit the light contagious vulnerability of Slack or Discord, nor to install it on the Slack or Discord victim machine. Instead, they take advantage of a number of features that have been little explored in these collaboration platforms, along with ubiquity and the trust placed in them by both users and system administrators.
“People are more likely to do things like click on a Discord link than in the past because they are used to friends and colleagues sending files to Discord and sending them a link,” says security researcher Cisco Talos. Nick Biasini. “Everyone uses collaborative apps, everyone knows them, and the evil ones have realized that they can do it excessively.”
Among the collaboration techniques used by Cisco researchers, the most common is to use the platform primarily as a file hosting service. Discord and Slack allow users to upload files to their servers and create an external link to those files so that anyone can click on the link and access the file. In many cases found by Cisco, these files are malicious; investigators have listed nine spy tools with recent remote access that hackers have tried to install in this way, including Agent Tesla, LimeRAT and Phoenix Keylogger.
Links should not be delivered to victims within Slack or Discord. Services can also be put in place by email, where hackers can easily drag victims massively, replace a victim’s co-workers, and reach users who have no previous connection. As a result, Cisco has seen a huge increase in the use of these links in the past year to provide malware via email. “We’ve seen tens of thousands of people in recent months and the rate has been steadily increasing,” Biasini says. “It looks like it’s the peak right now.”
The security company Zscaler similarly noted the rise in the use of the technique by cybercriminals research published in February, warning that they have detected two dozen variants of malware a day, including ransomware and cryptocurrency mining programs, delivered as fake video games embedded in Discord links. Hackers have also used the technique to plant malware that steals Discord authentication tokens from victims ’computers, allowing hackers to replace them in Discord by spreading more malicious Discord links while using their victims’ accounts to cover their tracks.
In addition to exploiting users ’trust in Slack and Discord links, the technique also blurs the malware, as Slack and Discord use HTTPS encryption on the links and compress files when uploaded. And other methods of hosting malware can be offline or blocked when a hacker’s server is found, making Slack and Discord links more difficult for users to access or block. “It might affect things like shutting down a server, closing down a domain, and listing files,” Biasini says. “And they’ve come up with a way to break that down.”
In addition to hosting their malware on the Discord and Slack links, cybercriminals also use Discord as an element of their malware command and control and data theft. Discord allows programmers to add “webhooks” to their code, which automatically update a Discord channel with information from an application or website. So cybercriminals have used this technique to forward information from infected computers to the command and control server that they use to administer a botnet, or even to return data from a victim’s machine to the server. As with the malicious linking technique, this webhook trick hides the innocent look and encrypts malicious traffic in encrypted Discord communications, making it difficult for the hacker’s infrastructure to go offline. (Although Slack also offers a similar webhook feature, Cisco says he still hasn’t seen hackers like Discord’s.)