Abaddon RAT ! Sophisticated C2C

The new ‘Abaddon‘ remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC.

Threat actors abusing Discord for malicious activity is nothing new.

A new ‘Abaddon’ remote access trojan (RAT) could be the first malware that uses Discord as a full-fledge command and control server.

When started, Abaddon will automatically steal the following data from an infected PC:

  • Chrome cookies, saved credit cards, and credentials.
  • Steam credentials and list of installed games
  • Discord tokens and MFA information.
  • File listings
  • System information such as country, IP address, and hardware information.

Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below.

Receive a task from the Discord server

These commands will tell the malware to perform one of the following tasks:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malware will connect to the C2 every ten seconds for new tasks to execute.

Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer like encryption and decryption after paying ransom

With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s