Sophos on Thursday warned that internet instant-chat service Discord is becoming an increasingly popular malware distribution channel.
In a blog post, security sleuths Sean Gallagher and Andrew Brandt said four per cent of all TLS-protected malware – representing about 46 per cent of all malware command-and-control communication – interacts with Discord.
“Sophos products detected and blocked, just in the past two months, nearly 140 times the number of detections over the same period in 2020,” they said.
Discord operates its own content delivery network (CDN) to allow users to upload and share files with one another, and because it provides an API for programmatic access to the service. Miscreants thus see the channel as a potential distribution opportunity and as a provider of free infrastructure.
“We observed significant volumes of malware hosted in Discord’s own CDN, as well as malware interacting with Discord APIs to send and receive data,” said Gallagher and Brandt.
Malware creators are using Discord to serve, spread, and control malware aimed at Discord users. Some of the malware is tied to online gaming, given that many Discord users are players of youth-oriented titles such as Fortnite, Minecraft, or Roblox.
The researchers found game cheating tools that integrate with Discord, in-game – the chat app is often used for real-time comms during play. These tools allow one player to cause another player’s game to crash, for example.
But much of the malware, they said, is focused on data theft, specifically credentials and personal information. And it’s often done in combination with social engineering efforts (e.g. to elicit login details or to convince targets to download and open a specific file).
They said they found several ransomware families hosted on the Discord CDN, along with numerous Android malware packages, including spyware and data theft apps.
Bad news rising
While abuse of this sort is not new, it has become more common. Gallagher and Brandt said in the past two months Sophos products have spotted and blocked a huge increase in malware instances over 2020 totals.
“In April, we reported over 9,500 unique URLs hosting malware on Discord’s CDN to Discord representatives,” they said. “In the second quarter, we detected 17,000 unique URLs in Discord’s CDN pointing to malware. And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways.”
Just prior to the publication of their post, said Gallagher and Brandt, there were more than 4,700 active, unique URLs in Discord’s CDN pointing to a malicious Windows .exe file.
The researchers say other services like Slack and Telegram have been similarly misused and that they have reported their findings to Discord. Though they say the company has been responsive and removed identified malware, they also note that new malware keeps appearing and they question the efficacy of its approach.
“While Discord has some malware screening capabilities, many types of malicious content slip by without notice,” they said.
“And when users get caught, they can burn their account and create a new one. Discord relies heavily on user reports to police abuse. But when the Discord architecture is used for activities that are limited to targets not necessarily within the Discord user community, they can go unreported and persist for months.”
“Platform security is a priority for us,” a Discord spokesperson told The Register.
“Discord relies on a mix of proactive scanning – such as antivirus scanning – and reactive reports to detect malware and viruses on our service before they reach users. We also do proactive work to locate and remove communities misusing Discord for this purpose. Once we become aware of these cases or bad actors, we remove the content and take appropriate action on any participants.
“We value feedback from trusted sources like Sophos whose expertise can help identify malware so that we can remove it and ensure no further distribution occurs on Discord. In this case, our Trust & Safety team worked closely with the Sophos team to remove all of the malware links that their technology identified.” ®