External Threat Management Labs

Discord CDN Abuse Found to Deliver 27 Unique Malware Types

Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files. 

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers. 

However, many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by actors by creating channels with the sole purpose of delivering these malicious files.

Although Discord was initially geared towards the gaming community, many organizations are using it for workplace communication. As a result of these malicious code files stored on Discord's CDN, many organizations could be allowing this bad traffic onto their network.

Malware in the Message 

Files on the Discord CDN use a Discord domain with the link in the following format:

hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}

With RiskIQ's deep and comprehensive view of the infrastructure across the web, our platform can detect these links and query Discord channel IDs used in these links. This process enables us to identify domains containing web pages that link out to a Discord CDN link with a specific channel ID. 

For example, the RiskIQ platform can query the channel IDs associated with zoom-download[.]ml. This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord's CDN. 

In another example, the channel ID for a URL containing a Raccoon password stealer file returned a Taplink domain. Taplink provides users with micro landing pages to direct individuals to their Instagram and other social media pages. A user likely added the Discord CDN link to their Taplink page.

Querying these IDs enables RiskIQ users to understand which Discord files and associated infrastructure are concerning and where they are across the web. 

While RiskIQ cannot tell which Discord server a channel is associated with, we can determine the date and time of when a channel was created. Channels created within a few days before the first observation of a file in VirusTotal are assumed to have the sole purpose of distributing malware files.

This technique enabled RiskIQ researchers to uncover and catalog 27 unique malware types hosted on Discord's CDN. 

You can read the full article containing the list of IOCs in the RiskIQ Threat Intelligence Portal here.

Meet the Malware

RiskIQ detected Discord CDN URLs containing .exe, DLL, and various document and compressed files. After reviewing the hashes on VirusTotal, we determined that more than 100 were delivering malicious content. RiskIQ detected more than eighty files from seventeen malware families, but the most common malware observed on Discord's CDN was Trojans. 

Screenshot of a web page with menu links that download AsyncRAT hosted on Discord’s CDN.

RiskIQ observed a single file per channel ID for most malware detected on Discord's CDN. Based on Microsoft's detection of the files we observed, a total of 27 unique malware families, encompassing four types:

  • Backdoors, e.g., AsyncRat
  • Password Stealers, e.g., DarkStealer
  • Spyware, e.g., Raccoon Stealer
  • Trojans, e.g., AgentTesla

Read the full article containing each of these 27 malware families RiskIQ Threat Intelligence Portal here.

Combat CDN Abuse

The abuse of Discord's infrastructure shines a light on the growing problem of CDN abuse by threat actors across the web. Leveraging internet-wide visibility to detect signs of malware in CDN infrastructure is crucial to minimizing the impact these valuable malware-delivery mechanisms could have against your organization. 

All Discord CDN links were reported to Discord via https://support.discord.com/hc/en-us/requests/new.

You can read the full article containing the list of IOCs in the RiskIQ Threat Intelligence Portal here.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor