How Hackers Exploit Discord: A Case Study

How Hackers Exploit Discord: A Case Study

How Hackers Exploit Discord: A Case Study

Recent investigations have detailed how hackers have been able to leverage Discord integrations for financial and political gain.

A recent research paper from identity security provider CyberArk has illuminated how cyber threat actors have been able to leverage Discord API integrations to spread malware.

The platform, currently used by some 300 million people, bills itself as a “place to talk and hang out.” Since its creation in 2015, it has become popular among online communities, from gamers to political groups, allowing people to communicate with each other via text and voice.

The platform has generated controversy in the past. In 2020, Vice reported on an Internet leak of nearly 10 million messages from about 100 neo-Nazi and QAnon Discord servers.

Despite the platform’s history with these types of groups, CyberArk’s recent investigation uncovered how malware groups are using Discord’s content delivery network to distribute malicious payloads.

Hosting malicious payloads on Discord is behind it, according to cybersecurity provider HTTPS has challenged programs in determining which payloads are safe and which are malicious.

“Being hosted on a popular service and protected by HTTPS makes the process of differentiating between malicious and benign files a difficult task,” the research determined.

So what are some of the methods malicious actors are currently using? A key method that some malicious actors use is to exploit the platform’s source code.

“One method that has recently gained popularity is to inject a payload into the Discord source code. This is possible due to the fact that Discord is a [ElectronJS] application written in NodeJS,” CyberArk’s investigation determined.

“ElectronJS is a framework that allows the creation of desktop applications that are, in essence, a NodeJS-based website running locally in a Chromium browser. All application source code is hosted locally in plain text and is not checked for tampering before execution.”

While conducting this research, CyberArk discovered potentially new cyber gangs that are actively targeting users.

Examining malware discovered in September 2022, researchers saw how cybercriminals leveraged Discord as a communications vector and source of financial gain.

The investigation, called Vare, traced code details to a GitHub account in which “the featured projects are all related to the Discord malware.” Then, other findings seemed to illuminate that malware developers were focused on finding Discord Nitro gift keys that can then be sold.

The group, called Kurdistan 4455, is alleged to have created malware that would examine an individual’s web browser, Discord, and network information before sending “all information collected via a Discord webhook.”

According to CyberArk research, the main drivers of cyber threat actors were two.

“The first motivation is monetary, as they attempted to sell Discord Nitro to users at a discounted price, a common way to launder money from stolen credit card data on the platform,” they wrote.

“The second motivation is hacktivism. “Based on their ideology and origin, we assume that this is due to the long conflict between Türkiye and the people of Kurdistan.”

Leave a Reply

Your email address will not be published. Required fields are marked *