Threat Watch

Attackers are Using Discord and Slack Links to Spread Malware

As a result of the increase in remote work due to the pandemic, platforms like Discord and Slack have grown in popularity by keeping individuals more in touch with colleagues, family and friends. As with any popular technology, attackers are finding ways to abuse it for their nefarious purposes. Among the collaboration app exploitations techniques Cisco’s researchers are warning about, the most common is essentially Slack or Discord as a file hosting service. Both Discord and Slack allow users to upload files to their servers and create externally accessible links to those files so that anyone who clicks the link can download the file. Cisco found nine recent spy tools that attackers are trying to spread in this fashion, including Agent Tesla, LimeRAT, and Phoenix Keylogger for example. The links don’t have to be delivered to victims inside of Slack or Discord. They can also be served up over email, where hackers can far more easily trawl for victims en masse, impersonate a victim’s colleagues, and reach users with whom they have no previous connection. As a result, Cisco has recorded a major uptick in the use of those links to deliver malware via email in the past year. “Over the last several months we’ve seen tens of thousands, and the rate has been steadily increasing,” says Biasini. “Right now, it appears to be peaking.” Aside from exploiting the trust that users place in Slack and Discord links, that technique also obfuscates the malware, since both Slack and Discord use HTTPS encryption on their links and compress files when they’re uploaded. And while other methods of hosting malware can be taken offline or blocked when a hacker’s server is discovered, the Slack and Discord links are harder to take down or block users from accessing. “Adversaries are most likely going to be affected by things like shutting down a server, shutting down a domain, blacklisting files,” says Biasini. “And what they’ve done is figured out a way to break that.”


Aside from requesting Slack and Discord to more effectively scan files for signs of malware that are hosted on their sites, Cisco’s Biasini argues that organizations should consider simply blocking Discord links in corporate email, given that it is not often used as an authorized collaboration tool inside enterprises networks. As for organizations who use Discord and cannot block it, or for users who do not have enterprise-level security policies, links from these platforms should be viewed as suspicious, particularly when they comes from unknown external sources. Some simple advice applies in this case: if you do not know the sender, do not click the link. If it sounds too good to be true, then it is. Lastly, if you’ve never clicked a Discord URL before, do not start now.

Source Article: