The community uses dedicated Discord servers as a discussion board and selling place to spread malware families such as “Lunar”, “Snatch”, or “Rift”, which follow the current trend of malware-as-a-service. The discussion boards unveil that age-related insults are being thrown on a nearly daily basis. Kids also revealed their ages, discussed the idea of hacking teachers and their school systems and mentioned their parents in conversations. In a Discord group focusing on selling “Lunar”, there were over 1.5k users, out of which about 60-100 had a “client” role, meaning they paid for the builder. The prices of the malware builder tools differ depending on the type of tool and duration of access to the tool.
The types of malware exchanged among teens targets both minors and adults and have options that include password and private information stealing, cryptomining, and even ransomware. For example, if a client buys a builder tool and chooses to use it for data theft, the generated sample will send any stolen data to that particular client who generated and distributed it. Or, if a client uses a tool to generate a ransomware sample, the victim will be asked to send money to that particular client’s cryptowallet. Other prominent features include stealing gaming accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser containing adult content, apparently simply for the sake of pranking others.
“These communities may be attractive to children and teens as hacking is seen as cool and fun, malware builders provide an affordable and easy way to hack someone and brag about it to peers, and even a way to make money through ransomware, cryptomining and the sale of user data,” said Avast Malware Researcher Jan Holman. “However, these activities by far aren’t harmless, they are criminal. They can have significant personal and legal consequences, especially if children expose their own and their families’ identities online or if the purchased malware actually infects the kids’ computer, leaving their families vulnerable by letting them use the affected device. Their data, including online accounts and bank details, can be leaked to cybercriminals,” Holman added.
Malware distribution via YouTube
After purchasing and compiling their individualized malware sample, some clients use YouTube to market and distribute their malware. Avast researchers have seen clients create a YouTube video supposedly showing information about a cracked game, or game cheat, which they link to. However, the URL really leads to their malware instead. To create trust for their video, they ask other people on Discord to like and leave comments under the video, endorsing it and saying it is genuine. In some cases they even asked other people to comment that if their antivirus software detects the file as malicious, it’s a false positive.
“This technique is quite insidious, because instead of fake accounts and bots, real people are used to upvote harmful content. As genuine accounts are working together to positively comment on the content, the malicious link seems more trustworthy, and as such can trick more people into downloading it,” comments Jan Holman.
Through monitoring the online communities, Avast discovered that despite group members supporting each other with cybercrime partially meant as pranks, but also as actual information and money stealing, there are also conversations that easily become quite turbulent. A considerable amount of fighting, instability, and bullying amongst users with “cutthroat” competition that goes to the point of appropriating someone else’s codebase and slandering them was observed.
Malware builders are tools that allow users to generate malicious files without having to program anything. Typically, users only need to select the functionalities and customize details such as the icon. There are several builder-based malware families that have similar user interfaces with slightly different layouts, color pallets, names, and logos. They are usually short-lived projects based on a source code from GitHub or some other builder, rebranded with a new logo and name, sometimes slightly tweaked or modified with new functionalities.
Avast has created detections protecting users from the samples spreading on the servers and reached out to Discord to inform them about these groups. Discord confirmed they take action to address these types of communities, and has banned the servers associated with Avast’s findings.
How to Protect Kids from Dark Activities Online:
It’s very important to teach children to be critical of attractive offers, such as new game features unavailable in the official stores or pre-release versions of popular games. Parents also need to educate children on the importance of password security and tell them never to share their passwords with others, even if they claim to be their friends or a game master offering help. For the younger kids, it is crucial not to reveal any personal information when playing on multiplayer platforms, such as Discord or game Minecraft. Moreover, children still need ethical guidance about what is right or wrong, also in the digital space. What may seem venturesome and fun can bring serious harm to others and be an actual criminal offense. Young children may think they are safe as they aren’t legally liable yet, however, their parents are. It’s important for parents to talk to their children about this.
Discord also shared with Avast that they advise parents to help tailor the child’s settings to prevent them from receiving messages from strangers. More safety tips for parents can be found on the Discord blog.
For more information on the research, please visit: https://blog.avast.com/kids-discord-hacking-groups
Avast (LSE: AVST), a FTSE 100 company, is a global leader in digital security and privacy, headquartered in Prague, Czech Republic. With over 435 million users online, Avast offers products under the Avast and AVG brands that protect people from threats on the internet and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.
Keep in touch with Avast:
Media Contact: [email protected]
SOURCE Avast Software, Inc.