Malware has been on the internet since the internet first emerged. In fact, it existed even before the internet, only it had to be spread manually during those early years of the computer age. These days, it is commonly encountered on shady websites, which is why so many anti-malware tools are available for people browsing the web .
However, there are sites, such as social media networks, messaging apps, and alike, that most people tend to spend time on, that are generally believed to be safe. However, according to recent warning by security experts, this might not be the case in some cases.
Popular collaboration tools like Discord or Slack have been used for some time now, but ever since COVID-19 forced people to spend more time at home, and even work from their homes — a lot more people have started using these apps. Whether for business, hanging out with friends, or finding channels where they could meet like-minded individuals in different fan bases, these apps have seen a surge in usage over the past year.
Now, however, researchers warn that they are being hijacked by hackers to distribute malware, particularly when it comes to Discord and Slack .
The new report warning of the danger came from Cisco’s Talos cybersecurity team, which discovered that CDN methods that are being used by these messaging platforms for easy filesharing are also used by hackers for malware distribution.
It is unknown whether the hackers have a specific goal, or are simply attracted to tools frequently used by large numbers of people, but these chat apps are being more and more used against their intended users.
Essentially, CDNs, or Content Delivery Networks, are being used for storing files on the apps’ servers. More often than not, they are hardcoded, which makes them available in and out of the application itself. Furthermore, due to the files being compressed and encrypted due to HTTPS, detection of malicious content can be extremely difficult.
As for the users, they believe that the apps are safe, which typically makes them less careful when it comes to opening files received from unknown sources.
So, while these apps provide seamless communication and file sharing, they are also providing hackers with an easy way to infect unsuspecting users and distribute malware and ransomware. Not only that, but researchers warn that they also use the platforms for command and control, or for extracting sensitive data from the apps’ users who, once again, suspect nothing as they trust the app and have faith in its security.
According to Talos, the method has become extremely popular. So much so, in fact, that a simple search for samples on Discord CDN returned about 20,000 hits in VirusTotal. Talos team also noted that the method is often used in malware distribution campaigns tied to RATs, stealers, and many other types of malware that hackers tend to employ in order to retrieve sensitive data from systems that they infect.
Researchers also pointed out that the Discord API has turned out to be a very effective tool for data exfiltration. Discord has something called a webhook functionality, which was created for sending automated alerts. However, it can really send any type of information, which, unfortunately, also includes malware-collected data. This is how hackers are withdrawing the data from the app without anyone knowing about it.
These webhooks are basically URLs that clients can send a message to. The system then posts the message to a specific channel, according to the user’s intention. All of this can happen without ever actually using the Discord app . Essentially, hackers are using the Discord domain to disguise data extraction by making it look like typical Discord traffic, just traveling through the network.
With instant messaging growing in popularity, more such apps are emerging, and that only leaves more ways for hackers to rob the apps’ users of data, and potentially more. The most important step is to make businesses aware of these risks, but also for users to carefully pick the platform they are going to use in the future.