Attackers are finding the file-sharing capabilities in popular group-chat apps such as Discord and Slack a convenient way to distribute malware, warns a new report from Cisco Talos, Cisco’s threat intelligence unit.
The risk isn’t just that hackers can gain access to a particular channel and trick people in it into downloading malware. Once a file containing malicious code is uploaded, attackers can also grab a freely accessible link to that file where it’s hosted on the chat system’s servers. Then, they can send that link to people via phishing emails, misleading texts, or any other method they have of reaching potential victims. In some cases, malware can connect to these sorts of links to download additional malicious code once it’s already running on victims’ machines.
Some malware also uses group-chat apps to share data with and receive commands from the people operating it, according to the report. In particular, Discord has an API (application programming interface) that enables programs to automatically post messages to channels on the service via a digital address called a webhook. That’s useful for many legitimate purposes, but it’s also valued by malware creators who want their software to essentially phone home from infected machines. And during the coronavirus pandemic, as more people are using platforms such as Discord and Slack to stay in touch with friends, coworkers, and others, so too are criminals moving to these tools for their own convenience, according to the Cisco Talos researchers.
Malware and commands sent through these channels can blend in with other, legitimate traffic.
“We’ve seen a marked increase in the abuse of collaboration apps like Discord and Slack to be used to both distribute malware and as a command-and-control system,” says Nick Biasini, a Cisco Talos threat researcher who worked on the report. Functionality such as that offered by Discord “allows them to manage command and control without having to manage their own server.”
One challenge for people trying to thwart these attacks is that malware and commands sent through these channels can blend in with other, legitimate traffic to files and chat rooms hosted on these platforms. Seeing a URL that mentions Discord, Slack, or another trusted channel might also help lull users into a false sense of security when it appears in a phishing email. And it’s also not possible for security experts to take down the domain hosting the malicious content, since it’s commingled with legitimate Slack or Discord files from around the world rather than on a domain of its own.
In some cases, hackers use malware to harvest digital access tokens that can be used to connect to Discord, according to the report. That allows them to connect to the platform under other people’s accounts, adding another level of anonymity to their attacks.
Scanning for trouble
What are platforms doing to foil such intrusions by malware? “Discord relies on a mix of proactive scanning—such as antivirus scanning—and reactive reports to detect malware and viruses on our service,” a Discord spokesperson said in an email to Fast Company, adding that it’s taking steps to make it easier to identify such abuses, allow users to report issues, and to quickly triage them internally. “We also do proactive work to locate and remove communities misusing Discord for this purpose. Once we become aware of these cases or bad actors, we remove the content and take appropriate action on any participants.”
A Slack spokesperson said the app has blocked the ability to share executable files and is building tools to scan shared content for malware.
Using newly popular platforms for malicious activity is nothing new, Biasini says, explaining that attackers will likely always try to harness new digital tools for crime. “What you’re seeing is the opportunistic nature of adversaries,” he says. “This is just the newest iteration of it.”