Cybercriminals launched new campaigns targeting online users and gamers. One thing that many of these campaigns share in common is the fact that cybercriminals have begun leveraging the group-chatting platform Discord as a CDN for hosting their malicious payloads.

Crisp Note

  • Zscaler’s ThreatLabZ team revealed the widespread use of the service to host multiple payloads, including the Epsilon ransomware, Redline stealer, XMRig miner, and Discord token grabbers.
  • Many of these campaigns relied on the cdn.discordapp.com service for their infection chain.
  • Malicious files were renamed as pirated software or gaming software to trick gamers.
  • To make it look more convincing, cybercriminals used file icons related to popular games.

Discord a target

  • Researchers found three malicious software packages published on the npm open-source repository.
  • The packages, named an0n-chat-lib, discord-fix, and sonatype, shared similarities with  CursedGrabber Discord malware and were designed to steal tokens and other information from Discord users.
  • The stolen token, in turn, would allow the attackers to hack the server.

Discord an attack vector

  • Scam artists seeking ways to make easy cash, targeted Discord servers in a cryptocurrency scam.
  • The scammers entered into Discord servers and sent private messages to users that appeared to be from new and upcoming cryptocurrency exchanges.
  • This new trend in scams that leverage Discord servers explains the far-sightedness of cybercriminals aiming for more victims in less time. 

Final Thoughts

Discord is a chatting platform built primarily for gamers. Over the years, the platform has become increasingly popular among other professional communities for sharing information and this is no secret. Threat actors are now relying on the Discord app to host malicious files. Due to the static content distribution service, it remains publicly accessible even after removing actual files from Discord.