As people around the world turned to video games to keep themselves busy during the lockdown period during the pandemic, cybercriminals took notice and launched new campaigns to target gamers according to new Zscaler research. These attacks often take advantage of the popularity of certain games like Among Us to trick gamers into downloading fake versions that serve the malware. However, cybercriminals have also started deploying ransomware, credential stealers, and cryptominers to target gamers as well. Common to many of these new campaigns is the fact that cybercriminals have begun to exploit the Discord group chat platform as a CDN to host their malicious payloads. While the use of the service to host payloads is nothing new, the number of cybercriminals has increased over the last year. For example, an attacker can upload a malicious file to a Discord channel and share the public link to it with others who use the service and with those who don't. Worse yet, a file uploaded from Discord is there forever, so even if an attacker deletes a file shared through the service, its link can still be used to download the malicious file.
Discord CDN
In a new report, Zscaler's ThreatLabZ team explained how its researchers observed multiple payloads, including the Epsilon ransomware, Redline stealer, XMRig miner, and Discord token diggers shared using the service. Many malicious files used in these campaigns are rebranded as pirated or gaming software in an attempt to trick gamers into downloading them. Cyber criminals also use file icons related to popular games to trick users into opening them. At the same time, attackers are also using Discord for command and control (C&C) communication as we saw last year with a new version of the AnarchyGrabber Trojan. For those unfamiliar, C&C servers are remote hosts that are used to send malware commands to run on an infected computer. In their report on the subject, Zcaler's Avinash Kumar, Aditya Sharma and Abhay Kant Yadav explained how Discord's growing popularity outside of gaming and its CDN capabilities have made the service popular with cybercriminals, saying: “Discord is first and foremost a discussion platform designed for gamers and is becoming increasingly popular among other professional communities for sharing information. We are seeing an increase in the use of the Discord app to deliver malicious files by attackers. Due to the static content delivery service, it is very popular among threat writers to host malicious attachments that remain publicly available even after deleting real files from Discord. "