Discord increasingly used as malware host (Image Credit: Alexander Shatov on Unsplash)Researchers from Sophos claim messaging platform Discord is being increasingly used by cybercriminals to host and spread malware. The details are revealed in a blog by Sean Gallagher and Andrew Brandt. They claim that 4% of TLS-protected malware downloads are now coming from Discord.

There are two reasons for this. Discord runs its own content delivery network (CDN). It also has an API that allows developers to interact with the platform. The researchers claim that they: “observed significant volumes of malware hosted in Discord’s own CDN, as well as malware interacting with Discord APIs to send and receive data.”

Who is the malware targeting?

Gallagher and Brandt say that Discord has a large and very active population of gamers, especially young gamers. They are often looking for information and help to succeed in the games that they play. It means that malware which pretends to be help files or code that can give a gamer an edge is attractive.

Another increasingly large group are those attending conferences. Over the last two years, there has been an increase in Discord use by security conferences. It means that many cybersecurity researchers and staff from vendors and customers are present on the platform. These are prime targets for cybercriminals as they often have privileged access inside their organisations.

What malware is being distributed?

No surprise that the majority of the malware was focused on credential and personal information theft. There are two uses of that data. The first is to see if it gives the cybercriminal access to other accounts operated by their victims. Many may well use the same user credentials in their games as for their Discord access. It allows the cybercriminal to take over the gaming accounts of the victim. They can steal items that a player has won or bought and resell them inside and outside the game.

The other use of that data is to underpin social engineering attacks. It allows attackers to compromise more Discord users, especially those who are not likely to download malicious gaming files. This also helps the attacker gain access to more Discord groups, especially those that are by invitation only.

How fast is this spreading across Discord?

In the last two months, Sophos has detected and blocked almost 140 times more malware than in the same period in 2020. That is a phenomenal rate of growth. The researchers provided more details on that, saying: “In April, we reported over 9,500 unique URLs hosting malware on Discord’s CDN to Discord representatives.

“In the second quarter, we detected 17,000 unique URLs in Discord’s CDN pointing to malware. And this excludes the malware not hosted within Discord that leverage Discord’s application interfaces in various ways. At just prior to publication time, more than 4,700 of those URLs, pointing to a malicious Windows .exe file, remained active.”

These are worrying numbers for Discord. While they demonstrate Discord is responding to reports, the challenge is blocking the malware before it gets on the platform. This is not simple. Like many social platforms, Discord does no verification of users. It means that an attacker can delete one account when caught and create a new one to continue their attacks.

Enterprise Times: What does this mean?

The success and strength of Discord have come from its CDN and API. However, these are now being used against it, and it seems that the platform was unprepared for that. The concern here is that many will simply dismiss this as a problem for gamers. They are mistaken. There is a growing number of conference organisers and non-gaming organisations gravitating to the platform. Many are there for the openness and ease of collaboration that Discord offers.

The challenge for Discord is how to improve its security. It could start with dealing with the risk from credential stealers. Warning users to not recycle credentials across multiple Discord servers would be a good move. It could provide tools to track the reuse of credentials and provide users with a tool to detect reuse or even the leak of credentials. Various browsers such as Edge and Safari are already doing this. Discord could look at similar functionality.

Another option would be to do file scanning for all uploads. This will prevent some files from being uploaded and any increase in the detection of malicious files is to be welcomed.

A third option is to look more closely at its API and how it is being misused. As Gallagher and Brandt write: “the Discord API is fertile ground for malicious command and control network capability that conceals itself in Discord’s TLS-protected network traffic (as well as behind the service’s reputation).


Please enter your comment!
Please enter your name here