Online collaboration tools such as Discord and Slack are becoming breeding grounds for malware as hackers use the platforms to distribute nefarious programs. A new report by the Talos cybersecurity team at Cisco has found the Content Delivery Networks (CDNs) used by instant messaging platforms are the reason that criminals have taken to using them to spread viruses.
CDNs enable users to store files on app servers and are typically hardcoded so they are available inside and outside an app. Uploading a compressed file over an encrypted HTTPS connection makes it extremely difficult for antivirus programs to catch infections. Users are also less cautious about files they receive over a known connection like this.
The CDN’s being targeted by hackers have several perks that make communication seamless. These perks also make it easier for cybercriminals to spread malware and ransomware through the platforms. Hackers are also using the platforms to operate command and control servers and exfiltrate data from users.
This new method has become so popular that searching for samples that connect to the Discord CDN generated almost 20,000 samples on VirusTotal.
“This technique was frequently used across malware distribution campaigns associated with RATs, stealers and other types of malware typically used to retrieve sensitive information from infected systems,” the team said in a blog post.
The Discord API has proven popular for data exfiltration. The webhook functionality of the API was originally intended to deliver automated alerts, meaning it can deliver any kind of information. Malware uses the API to ensure stolen data comes home to the hackers.
“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers explain. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”
Hackers also use the webhooks to get notifications about newly infected systems on the network.
With instant messaging apps becoming more popular due to everyone staying at home, the threats associated with them also grow. Businesses should be especially aware of the risks and carefully consider which platform to use, according to the researchers.