Cloud-based instant messaging platforms have allowed individuals to easily communicate and collaborate, but cybercriminals are also benefitting from these platforms and are abusing the services for a range of malicious purposes. Discord is one such platform that has been favored by cybercriminals for several years and is now being extensively used for phishing and malware distribution.

Discord is a VoIP, instant messaging and digital distribution platform that has been extensively adopted by the gaming community and latterly by a much broader range of users. In 2019, Discord has amassed around 150 million users worldwide and usership has grown considerably since then. The platform has long been abused by cybercriminals who have used the platform’s live chat feature for selling and trading stolen data, such as gift cards and login credentials, for anonymous communications, and the platform has also been abused to act as C2 servers for communicating with malware-infected devices.

In 2021, the platform has been increasingly used for distributing a wide range of malware variants such as information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the cdn.discordapp.com service.

Discord, like other collaboration apps, use content delivery networks (CDNs) for storing shared files within channels. Cybercriminals can upload malicious files to Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing starts with https://cdn.discordapp.com/ so anyone receiving the link will see that the link is for a legitimate site. While there are controls to prevent malicious files from being uploaded, oftentimes cybercriminals can bypass those protections have get their malicious files hosted, and warnings are not always displayed to users about the risk of downloading files from Discord.  Since the malicious payloads are delivered via encrypted HTTPS, the downloads can be hidden from security solutions.

Further, once uploaded, the malware can be deleted from a chat, but it is still accessible using the public URL. Users are often tricked into downloading these malicious files under the guise of pirated software or games. Gamers have been targeted as their PCs typically have a high spec for gaming, which makes them ideal for cryptocurrency mining.

This method of malware distribution allows malware developers and distributers to easily distribute their malicious payloads with a high degree of anonymity. An analysis by Zscaler identified more than 100 unique malware samples from Discord in the Zscaler cloud in just a two-month period. Another analysis of Discord CDN results identified around 20,000 results on VirusTotal.

The Discord app is also easy to modify to perform malicious actions. Malicious JavaScript code can easily be added to the legitimated Discord client files and can be configured to run each time the client is launched or when specially crafted URLs are opened by the client.

Discord is far from the only communication and collaboration solution to be abused. Slack and Telegram are similarly being abused in phishing campaigns and for malware distribution.

How TitanHQ Can Improve Your Organization’s Security Posture

TitanHQ offers two cybersecurity solutions that can be configured to block the use of these legitimate platforms in the workplace and stop malicious links from being distributed to their employees. WebTitan is a powerful but easy-to-use DNS filtering and web security solution that can be configured to block access to sites such as Discord, thus preventing employees from visiting malicious content. Since WebTitan performs malware scans in real time, if malicious files are encountered, employees will be prevented from downloading them. WebTitan supports HTTPS (SSL) inspection so can decrypt, scan, then re-encrypt traffic to identify and block malicious content.

Malicious links to Discord are often distributed via phishing emails. SpamTitan Email Security prevents malicious emails from being delivered to inboxes, such as emails containing links to Discord, Telegram, or other services that are abused by cybercriminals and used to host phishing kits or malware.

Both solutions work seamlessly together to protect against email- and web-based cyberattacks and prevent credential theft, and malware and ransomware attacks. Both solutions are cost effective to implement and easy-to-use and are much loved by IT staff who benefit from a high level of protection coupled with a low management overhead.

If you want to improve protection from email and web-based attacks, contact TitanHQ today to find out more about these award-winning cybersecurity solutions. Both solutions are available on a free trial and a product demonstration can be arranged on request.

Further, these solutions have been developed to be MSP-friendly, with a range of benefits for managed service providers who want to want to improve email and web security for their clients.