Using Discord infrastructure for malicious intent

Research by: Idan Shechter & Omer Ventura

  • Check Point Research (CPR) spotted a multi-functional malware with the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord
  • There are currently over 150 million monthly active users on Discord
  • Users must be aware that Discord’s bot framework can be easily used for malicious intent

Background

The past year has seen a major upturn in the use of VoIP, instant messaging and digital distribution platforms. These platforms allow users to do everything from creating meetings to configuring subject-oriented channels and topic-related communities.

In 2021, Discord, a popular cross-platform application, hosted more than 19 million active servers related to different genres and topics (gaming, arts, marketing, finance, sports, etc.). According to influencer marketing hub there are currently over 150 million monthly active users.

Check Point Research (CPR) has spotted early signs of malicious actors interested in this emerging technology. The most prominent sign, is a multi-functional malware available to anyone on Github. This malware has the capability to take screenshots, download and execute additional files, and perform keylogging – all by using the core features of Discord.

CPR decided to explore the potential abuse of Discord by threat actors, and more importantly, determine how to prevent these attacks.

Discord and Bots – By Design

Discord lets users integrate code for enhanced features that allows for easier community management. These are the Discord bots. As Discord’s popularity has increased, so has the use of these bots.

Currently, most Discord bots can be installed through centralized services, such as “top.gg” which offers a wide variety of free-to-use bots.

Figure 1: top.gg main page. Anyone can upload a bot to the store

Figure 2: How popular can a bot be?! 3.2M installations!

Additionally, Discord bot development services offer custom-made Discord bots for a variety of prices.

Figure 3: A Discord bot development service advertisement.

Discord bots appear to be powerful, friendly, and highly time-saving. However, with great power also comes great responsibility, and Discord’s bot framework can be easily used for malicious intent.

Early Signs for malicious Intent

CPR found several malicious repositories among GitHub that are relevant for the Discord platform. These repositories include malware based on Discord API and malicious bots with different functionalities.

Figure 4: One of the malicious repositories found to control remote computers using a Discord bot and Python 3

From a preliminary examination, we discovered a few capabilities that can be achieved using basic Python functions. As explained above, these malware or bots can be easily found on the Internet.

The fact that such malwares are written in cross-platform languages makes them relevant to any supporting platform (OSX, Linux, Windows).

An example of this is the malicious toolkit DiscordRootKit.

This specific malware, written in Python, seems to have several functionalities:

  • Open a shell on the running device.
  • Find different browser tokens – Chrome, Opera, Yandex.
  • Take screenshots.
  • Take webcam snapshots from the device’s camera.
  • Key-logging.

Figure 5: Keylogging output of the malware in the infected client.

  • Log different malware actions.
  • Download a file from a given link.
  • Copy the file to the Windows start directory to run at boot time.
  • Persistence method –
    • Add a backdoor to Discord’s index.js file. This is for persistence purposes. Discord has file integrity checks for its files, but index.js file is an exception. This allows the malware to implement a backdoor in the file which remains undetected (this specific payload is also not detected by different antiviruses). This can be used to run arbitrary code on the client with user privileges once Discord is opened by the user (if it exists on the system).

Figure 6: The file after the manipulation. The only original code line is the last line (13)

Figure 7: Process explorer shows the malicious code executed under Discord process.

The code is compiled with Pyinstaller. The exe file remains undetected by the AV engine.

Taking the malware challenge

Key Findings

  1. No need to install anything but the malware on the victim machine. Not even Discord.
  2. Encrypted communications – make it difficult to detect.
  3. File hosting can be used for Dropzone (Server in the Internet that serves additional files).

We decided to explore the idea of using Discord bots for malicious purposes, in particular, implementing a Discord bot with malicious functionalities to provide an attacker with remote code execution capabilities.

It is important to note that CPR’s experiment was for educational purposes only, and no harm was done to any user or platform.

We discovered that the Discord Bot API, a simple Python implementation which eases modifications and shortens the development process, can easily turn the bot into a simple Remote Access Trojan (RAT – Tool used by malware developers to gain full access and remote control on a user’s system).

The bot uses the “Discord” Python module, which does not require the Discord app to be installed on a victim’s machine. The Module  then supplies the relevant API token to listen to incoming messages on a pre-defined Discord server.

Once a command is provided, the bot executes the pre-defined actions on the victim’s machine.

Figure 8: Becoming a Remote Access Trojan (RAT)

Communication Process

The whole communication process is handled by Discord, which results in a safe, TLSv1.3 ciphered communication.

Aside from the fact that the communication is encrypted (which does not require any effort from the attacker), it is classified as Discord’s traffic. This means there is no way of distinguishing between malicious and legitimate traffic, which makes the malware much harder to detect.

This simple technique provides the attacker with an effortless botnet setup. The Discord server is used as a C2, and the communication itself is handled by Discord.

In addition, as a cross-platform, Discord allows an attacker to control the botnet from any Discord-supporting platform, as well as mobile devices, which improves the flexibility.

Possible infection chain

Apart from the fact that Discord based malware doesn’t require Discord to be running or even installed on the victim’s machine, it can be easily be compiled into an executable file (.exe). The malware can then run independently on any Windows machine – using Discord or Python makes no difference.

Such malware can be disguised as a legitimate program, which, once opened, infects the victim’s machine and provides the attacker with remote control access.

In other words, such malware doesn’t specifically target just Discord users, but all users.

In some cases, bots create and send files via Discord servers. These files are intended for the community’s use. This excess of trust can be easily exploited if the bot sends malicious files.

Discord as File Hosting

Hackers usually search for a domain where they can store their malicious files. There are several options for file hosting services, from popular hosting platforms (free or for pay) to designated domains. Discord can be used as well. Whenever a user uses the upload

Figure 11: Uploading a file using the “+” button uploads it to Discord CDN.

function in Discord, the file is uploaded to the CDN (Content Delivery Network) of Discord, and stored publicly.

After uploading the file, the user can copy the file’s CDN URL, allowing anyone that reaches this URL to download that file. In this way, Discord essentially works as a file hosting server, but one that is much easier to establish with no setup at all. An attacker can upload a file to a newly created designated server in seconds, or send the file to another party.

In addition, the attacker’s privacy is ensured. Combined with other methods, for example sending the file each interval to change the CDN URL, makes the process of tracing back to the attacker or blocking the payload more difficult.

This is the URL format:

https://cdn.discordapp.com/attachments/864519125711323200/869890167828250655/Secret

Figure 12: Attacker can use the CDN of Discord to perform as a file-hosting server

When we used this to host malicious files, we revealed dozens of attacks which used Discord as a hosting server.

Steps to stay safe from Discord based malware and how to spot if you’ve been infected:

  • Avoid visiting unsafe and unknown websites – suspicious links are always a red flag
  • Only download files from trusted sources – do not download a file unless you’re sure of its safety
  • Monitor your network’s traffic – if Discord traffic exists while Discord is not installed on the system, you may have been infected by a Discord based malware
  • When working with Discord bots, we highly recommend hosting unknown bots on an external server – avoid running them on your personal machine

Conclusion

Discord is a large-scale platform, used for chats, voice calls and videos. The platform has different features that allows user many functionalities in terms of management, data sharing, and connection preferences. However, these can also be used for malicious purposes like malware development, botnet setups, C2 communication and malicious file hosting. The Discord API does not require any type of confirmation or approval and is open for everyone to use. Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. Preventing Discord malware can’t be done without harming the Discord community. As a result, it’s up to the users’ actions to keep their devices safe.

As of now, any type of file, malicious or not, whose size is less than 8MB can be uploaded and sent via Discord. As Discord’s cache is monitored by modern AVs, which alert a user in case a received file is considered malicious, the files remain available for download. Until relevant mechanisms are implemented, users must apply safety measures and only download trusted files.

CPR decided to take the challenge of exploring emerging technologies, considering the interest threat actors appear to be taking in these platforms. Check Point Software works to protect organizations while they grow and adopt new technologies. Our network security solutions allow companies to manage their policies and prevent most advanced attacks.

References

  • DiscordRootKit – hxxps://github[.]com/NullByte75/DiscordRootKit

Few adjustments were made in order to run the code. After fixing the code’s broken paths– the analysis of the capabilities was made.

  • Idisagree – hxxps://github[.]com/UndeadSec/Idisagree

Protections

Project Name Hash (MD5) Protection
DiscordRootKit  

3bb93902208897445499aa46c411509e

 

Backdoor.Wins.DiscordBackdoor.A