Nation-state hacking groups are now leveraging the social platform Discord to target critical infrastructure. Discord has become a popular target for hosting malware and allowing information stealers to access sensitive data. While the platform is mostly used by information stealers that can be easily obtained online, cybersecurity firm Trellix found evidence of an artifact targeting Ukrainian critical infrastructures, although it is not linked to a known threat group. The artifact is a Microsoft OneNote file distributed via email, pretending to be from a non-profit organization. Once opened, it tricks recipients into clicking on a button that executes a script to download another PowerShell script from a GitHub repository. The final payload uses a Discord webhook to exfiltrate system metadata. Trellix’s analysis also revealed that loaders like SmokeLoader, PrivateLoader, and GuLoader, as well as malware families such as RedLine, Vidar, Agent Tesla, and Umbral, are commonly using Discord’s content delivery network (CDN) to download next-stage payloads. Additionally, malware families like Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT have been observed using Discord webhooks. The adaptability of cybercriminals to exploit communication platforms like Discord showcases the risk to critical infrastructure and sensitive data.
Source link