Thank you wholesale party to global pandemic, collaboration platforms like Discord and Slack have taken intimate positions in our lives, helping to maintain personal bonds despite physical isolation. But their growing role has also made them a powerful means of delivering malware to unwitting victims, sometimes in unexpected ways.
Cisco’s security division, Talos, published new research Wednesday, highlighting how, during the Covid-19 pandemic, collaboration tools like Slack and, much more commonly, Discord have become handy mechanisms for cybercriminals. More and more frequently, they are used to deliver malware to victims in the form of a link that looks trustworthy. In other cases, hackers have integrated Discord into their malware to remotely control their code running on infected machines, and even to steal data from victims. Cisco researchers warn that none of the techniques they found actually exploit a clear hackable vulnerability in Slack or Discord, or even require Slack or Discord to be installed on the victim’s machine. Instead, they just take advantage of some little-reviewed features of these collaboration platforms, along with their ubiquity and the trust that users and sysadmins have gained in them.
“People are much more likely to do things like click on a Discord link than they might have in the past because they’re used to seeing their friends and colleagues post files to Discord and send them a message. link, ”says Cisco security researcher Talos. Nick Biasini. “Everyone uses collaboration apps, everyone knows them and the bad guys have noticed they can be abused.”
Among the techniques for operating collaborative applications that Cisco researchers warn about, the most common use platforms primarily as a file hosting service. Discord and Slack allow users to upload files to their servers and create externally accessible links to those files, so anyone can click the link and access the file. In many cases, Cisco has discovered that these files are malicious; researchers list nine recent remote access spy tools that hackers attempted to install in this way, including Agent Tesla, LimeRAT, and Phoenix Keylogger.
Links don’t have to be delivered to victims inside Slack or Discord. They can also be served via email, where hackers can much more easily track down victims en masse, impersonate a victim’s coworkers, and reach users with whom they have no prior connection. As a result, Cisco has seen a significant increase in the use of these links to distribute malware via email over the past year. “Over the past few months, we’ve seen tens of thousands of them and the rate has been rising steadily,” says Biasini. “Right now he seems to be at his peak.”
Security firm Zscaler has also noted the increase in the use of the technique by cybercriminals. research published in february, warning that they had spotted up to two dozen malware variants per day, including ransomware and cryptocurrency extractors, delivered as fake video games embedded in Discord links. Hackers also used the technique to plant malware that steals Discord authentication tokens from victims’ computers, allowing the hacker to impersonate them on Discord, spreading more malicious Discord links while using the account. of a victim to cover their tracks.
In addition to exploiting the trust users place in Slack and Discord links, this technique also obscures malware, as Slack and Discord use HTTPS encryption on their links and compress files as they are downloaded. And while other malware hosting methods can be taken offline or blocked when a hacker’s server is discovered, Slack and Discord links are more difficult to remove or prevent users from accessing. “Opponents will most likely be affected by things like shutting down a server, shutting down a domain, blacklisting files,” says Biasini. “And what they did was find a way to break that.”
In addition to hosting their malware in Discord and Slack links, cybercriminals also use Discord as an element of command and control and data theft in their malware. Discord allows programmers to add “webhooks” to their code that automatically update a Discord channel with information from an app or website. Cybercriminals have therefore exploited this technique to relay information from infected computers to the command and control server that they use to administer a botnet, or even to extract data from a victim’s machine to the server. As with the malicious linking technique, this webhook trick hides malicious traffic in more innocent and encrypted Discord communications, and makes the hacker’s infrastructure more difficult to disconnect. (While Slack also offers a similar webhook feature, Cisco says it hasn’t seen any hackers abuse it yet because they have Discord.)