Trellix flags Discord APT exploitation, as hackers target Ukrainian critical infrastructures

Research from Trellix Advanced Research Center has delved into the analysis of malware that abused Discord infrastructure in the past. However, most of the samples are information stealers and Remote Access Trojans (RATs) that can be obtained from the Internet, which is quite different from one sample targeting Ukrainian critical infrastructures that the researchers were able to retrieve recently. This is the first time a sample associated with APT (advanced persistent threat) activity was found abusing Discord.

Trellix identified in a Monday blog post that Discord works over HTTP/HTTPS, thus making it appealing to malicious hackers since it is often enabled in both corporate and non-corporate networks. “Also, it allows them to blend their traffic in the network, hindering detection from security software and researchers. The ways malicious software abuses Discord focuses on two main techniques: downloading additional files and exfiltrating information,” it added.

The team revealed that it has used “Threatray’s malware tracking and intelligence capabilities to explore the threat landscape of malware abusing Discord’s CDN and webhooks. We have examined a dataset comprising approximately 10 million malware samples spanning the past three years, and identified several patterns and trends that shed new light on the evolving threat landscape facing modern businesses and organizations.”

The usage of Discord is largely limited to information stealers and grabbers that anyone can buy or download from the Internet, Trellix detailed. “Historically, major APT groups have not been observed abusing it, probably because they do not have full control of the command-and-control (C&C) server. This means that Discord can access their data and close their accounts, something that would be terrible for them if an ongoing operation is taking place.”

Nevertheless, this situation may change soon based on one sample targeting Ukrainian critical infrastructures, which the Trellix Advanced Research Center has recently discovered. “We have not yet found any strong indicator to relate this sample to any known APT group, but continue to investigate and monitor,” they pointed out. 

At the time of writing, the researchers confirmed that they “have not seen any further related samples in our telemetry. This suggests the attack was targeting only the Ukrainian critical infrastructure organizations where the sample was recovered, and any further stages apart from the ones described could not be retrieved.”

The fact that the only goal of the final payload is obtaining information about the system indicates that the campaign is still in an early stage, which also fits with the usage of Discord as C&C, the researchers said. “However, it is important to highlight that the actor could deliver a more sophisticated piece of malware to the compromised systems in the future by modifying the file stored in the GitHub repository.”

In light of the continuously evolving security landscape, a troubling trend has emerged in recent times with the exploitation of communication platforms like Discord for malicious purposes. “The abuse of Discord’s CDN as a distribution mechanism for additional malware payloads showcases the adaptability of cybercriminals to exploit collaborative applications for their gain. By disguising malicious files within seemingly harmless content, these threat actors can easily evade traditional security measures,” the post added.

Furthermore, the utilization of Discord’s webhooks to exfiltrate sensitive information highlights the versatility of this platform in facilitating data theft. These hooks, initially designed for automation and integration, have inadvertently become a tool for malicious actors to extract sensitive data without raising suspicion.

“The potential emergence of APT malware campaigns exploiting Discord’s functionalities introduces a new layer of complexity to the threat landscape,” the Trellix post added. “APTs are known for their sophisticated and targeted attacks, and by infiltrating widely used communication platforms like Discord, they can efficiently establish long-term footholds within networks, putting critical infrastructure and sensitive data at risk.”

However, the researchers reminded the importance of keeping in mind that APT groups have not used Discord in the past for a reason: they do not fully control the C&C channel. “It seems probable that APT actors would only use Discord in the future in the early stages or for reconnaissance, like we have seen previously, leaving more reliable methods for later stages.”

They added that when it comes to general malware, it is a different landscape since many of them have been using Discord capabilities to perform their activities for years. From information-stealing trojans to ransomware and beyond, the extent of the threat to businesses is expansive and evolving.

“The usage of Discord to evade detection was already a thing, but the fact that APT actors have started to use it is a new reality that security researchers must take on,” Trellix said. “To ensure proper detection of these nefarious activities and protect systems, Discord communications should be monitored and controlled, blocking them if necessary.”

Earlier this week, the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that threat actors ‘interfered’ with at least 11 telecommunication service providers in the country between May and September 2023. The agency is tracking the activity under the name ‘UAC-0165,’ stating the intrusions led to customer service interruptions.

New Microsoft data disclosed a surge in cyberattacks, impacting 120 countries over the last year with nearly half of these attacks targeting NATO member states. It also identified that over 40 percent of these cyber attacks were leveled against government or private-sector organizations involved in building and maintaining critical infrastructure. The report also identified a noteworthy shift in recent cyberattacks having shifted from destruction or financial gain to stealing information, monitoring communication, or manipulating what people read.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.