Discord CDN Abuse Found to Deliver 27 Unique Malware Types

External Threat Management Labs

Discord CDN Abuse Found to Deliver 27 Unique Malware Types

October 21, 2021

By Team RiskIQ

Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files.

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers.

However, many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by actors by creating channels with the sole purpose of delivering these malicious files.

Although Discord was initially geared towards the gaming community, many organizations are using it for workplace communication. As a result of these malicious code files stored on Discord's CDN, many organizations could be allowing this bad traffic onto their network.

Malware in the Message

Files on the Discord CDN use a Discord domain with the link in the following format:

hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}

With RiskIQ's deep and comprehensive view of the infrastructure across the web, our platform can detect these links and query Discord channel IDs used in these links. This process enables us to identify domains containing web pages that link out to a Discord CDN link with a specific channel ID.

For example, the RiskIQ platform can query the channel IDs associated with zoom-download[.]ml. This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord's CDN.

In another example, the channel ID for a URL containing a Raccoon password stealer file returned a Taplink domain. Taplink provides users with micro landing pages to direct individuals to their Instagram and other social media pages. A user likely added the Discord CDN link to their Taplink page.

Querying these IDs enables RiskIQ users to understand which Discord files and associated infrastructure are concerning and where they are across the web.

While RiskIQ cannot tell which Discord server a channel is associated with, we can determine the date and time of when a channel was created. Channels created within a few days before the first observation of a file in VirusTotal are assumed to have the sole purpose of distributing malware files.

This technique enabled RiskIQ researchers to uncover and catalog 27 unique malware types hosted on Discord's CDN.

You can read the full article containing the list of IOCs in the RiskIQ Threat Intelligence Portal here.

Meet the Malware

RiskIQ detected Discord CDN URLs containing .exe, DLL, and various document and compressed files. After reviewing the hashes on VirusTotal, we determined that more than 100 were delivering malicious content. RiskIQ detected more than eighty files from seventeen malware families, but the most common malware observed on Discord's CDN was Trojans.

Screenshot of a web page with menu links that download AsyncRAT hosted on Discord’s CDN.

RiskIQ observed a single file per channel ID for most malware detected on Discord's CDN. Based on Microsoft's detection of the files we observed, a total of 27 unique malware families, encompassing four types:

Backdoors, e.g., AsyncRat
Password Stealers, e.g., DarkStealer
Spyware, e.g., Raccoon Stealer
Trojans, e.g., AgentTesla

Read the full article containing each of these 27 malware families RiskIQ Threat Intelligence Portal here.

Combat CDN Abuse

The abuse of Discord's infrastructure shines a light on the growing problem of CDN abuse by threat actors across the web. Leveraging internet-wide visibility to detect signs of malware in CDN infrastructure is crucial to minimizing the impact these valuable malware-delivery mechanisms could have against your organization.

All Discord CDN links were reported to Discord via https://support.discord.com/hc/en-us/requests/new.

You can read the full article containing the list of IOCs in the RiskIQ Threat Intelligence Portal here.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event