Discord and Slack are becoming hotbeds for malware

Lock
(Image credit: Shutterstock)

Several popular online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to distribute malware, experts have warned.

A new report from Cisco’s Talos cybersecurity team found that the Content Delivery Networks (CDN) methods which many instant messaging platforms use to allow seamless filesharing, are at the very heart of criminals’ newfound love for these chat apps. 

CDNs allow users to store files on the apps’ servers and are often hardcoded, making them available inside and outside the app. Uploading compressed files over encrypted HTTPS makes detection extremely difficult, while users tend to be less careful when receiving files from inside a known and trusted environment.

The targeted tools come with a few perks, designed to make communication more seamless, that cybercriminals can leverage to distribute malware and ransomware more easily, and they’ve quickly jumped on that bandwagon. Besides distribution, they’re also using these platforms for command and control, as well as to exfiltrate sensitive data from the victims.

The method has grown so popular that, Talos claims, a simple search for samples that reach out to the Discord CDN resulted in almost 20,000 samples in VirusTotal.

“This technique was frequently used across malware distribution campaigns associated with RATs, stealers and other types of malware typically used to retrieve sensitive information from infected systems,” the team explained in the blog post.

Data exfiltration and notification

When it comes to data exfiltration, the Discord API, for example, has proven to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was designed to be able to send out any type of information, and malware frequently use it to make sure stolen data reach their intended destination.

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

They also use webhooks to be notified of a newly infected system, for example.

As instant messaging apps grow in popularity, the threats will grow with them. Businesses need to be aware of the risks, and carefully choose which platform to use, the researchers concluded. 

“As more applications become available and some rise and fall in popularity, new avenues will continually be opened for adversaries.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.