Researchers Say Discord Still a High Risk For Nation-State Hackers
Discord Described as a 'Playground' for Nation States
Overt Operator
October 19, 2023
Nation-state hacking groups have now joined the ranks of threat actors leveraging legitimate infrastructure for malicious purposes. According to recent findings, these cyber adversaries are increasingly utilizing the popular social platform Discord to target critical infrastructure.
Discord has become an attractive target in recent years, serving as a fertile ground for hosting malware and enabling information stealers to extract sensitive data through its content delivery network (CDN). Additionally, Discord's integration of webhooks has facilitated data exfiltration.
A report by cybersecurity firm Trellix highlights the evolving landscape of threat actors' exploitation of Discord. "The usage of Discord is largely limited to information stealers and grabbers that anyone can buy or download from the Internet," state Trellix researchers Ernesto Fernández Provecho and David Pastor Sanz.
However, the researchers discovered evidence of an artifact specifically targeting Ukrainian critical infrastructures. At present, there is no confirmed link to a known threat group.
The attack vector involves the distribution of a Microsoft OneNote file through an email impersonating the non-profit organization dobro.ua. Upon opening the file, recipients are deceived into donating to Ukrainian soldiers by clicking a booby-trapped button. This action triggers the execution of a Visual Basic Script (VBS) designed to extract and run a PowerShell script. The PowerShell script then downloads another PowerShell script from a GitHub repository.
In the final stage, PowerShell exploits a Discord webhook to exfiltrate system metadata. Notably, the researchers emphasize that the ultimate goal of the payload is solely to obtain information about the targeted system. This indicates that the campaign is still in its early stages, aligning with the usage of Discord as a communication channel.
"The potential emergence of APT malware campaigns exploiting Discord's functionalities introduces a new layer of complexity to the threat landscape," warns Trellix researchers.
As the threat landscape continues to evolve, researchers warn that cybersecurity professionals and organizations must remain vigilant. By staying informed about emerging tactics and leveraging advanced threat intelligence solutions, businesses can better protect their critical infrastructure from the ever-growing sophistication of nation-state hacking groups and other threat actors.