October 17, 2023 at 12:15PM
Nation-state hacking groups are using Discord’s content delivery network (CDN) to target critical infrastructure. While Discord is currently mainly used by information stealers, a cybersecurity firm has found evidence of an artifact targeting Ukrainian critical infrastructure, indicating a potential emergence of APT malware campaigns on the platform. This introduces a new layer of complexity to the threat landscape. Malware families like SmokeLoader and GuLoader are among those utilizing Discord’s CDN. This highlights cybercriminals’ adaptability in exploiting collaborative applications for their gain and puts critical infrastructure and sensitive data at risk.
Meeting Notes: Oct 17, 2023
Topic: Newsroom Malware / APT
Key Takeaways:
– Discord, a social platform, is being abused by threat actors, including nation-state hacking groups, to target critical infrastructure.
– Discord’s content delivery network (CDN) is used to host malware and allows information stealers to extract sensitive data.
– Trellix researchers have found evidence of an artifact targeting Ukrainian critical infrastructures, but it is not linked to a known threat group.
– A sample Microsoft OneNote file distributed via email impersonating the non-profit dobro.ua is used to trick recipients into donating. This file contains a booby-trapped button that executes a Visual Basic Script (VBS) and downloads PowerShell scripts from a GitHub repository.
– In the final stage, PowerShell utilizes a Discord webhook to exfiltrate system metadata.
– The campaign is in an early stage, with the aim of obtaining information about the system. However, the actor could potentially deliver more sophisticated malware in the future.
– Trellix’s analysis reveals that loaders such as SmokeLoader, PrivateLoader, and GuLoader utilize Discord’s CDN to download next-stage payloads. Malware families like RedLine, Vidar, Agent Tesla, and Umbral are prevalent.
– Discord webhooks are also used by malware families such as Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT.
– The abuse of Discord’s CDN and webhooks by cybercriminals showcases their adaptability and puts critical infrastructure and sensitive data at risk.
Follow us on Twitter and LinkedIn for more exclusive content.
Please let me know if you need any further information or if there are any specific questions you have based on the meeting notes.