Workflow & collaboration tools like Slack & Discord have been infiltrated by threat players, who are abusing their functions to evade security & deliver info-stealers, remote-access trojans (RATs) & other malware.
One Discord network search turned up 20,000 virus results, researchers noted.
The pandemic caused move to remote working drove business processes onto these collaboration platforms in 2020, & predictably, 2021 has led to a new level cyber-criminal expertise attacking them.
Trick Users
Cisco’s Talos cyber-security team state in a report on collaboration app abuse this week that during the past year threat players have increasingly used apps like Discord & Slack to trick users into opening malicious attachments & deploy various RATs & stealers, including Agent Tesla, AsyncRAT, Formbook & others.
“One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked,” Talos researchers warned. “By using these chat applications that are likely allowed, they are removing several of those hurdles & greatly increase the likelihood that the attachment reaches the end user.”
Network Abuse
The researchers explained that Slack, Discord & other collaboration app platforms use content delivery networks (CDNs) to store the files shared back & forth within channels. E.g., Talos uses the Discord CDN, which is accessible by a hardcoded CDN URL from anywhere, by anyone on the internet.
“This functionality is not specific to Discord. Other collaboration platforms like Slack have similar features,” Talos reported. “Files can be uploaded to Slack, & users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed.”
The trick, the team said, is to get users to click on a malicious link. Once it has evaded detection by security, it’s just a matter of getting the employee to think it’s a genuine business communication, a task made easier within the confines of a collaboration app channel.
Malicious Payload
This also means attackers can deliver their malicious payload to the CDN over encrypted HTTPS, & that the files will be compressed, further disguising the content, according to Talos. Over the past year, they observed many common compression algorithms being used, including .ACE, .GZ, .TAR & .ZIP, & several less common types, like .LZH.
“In most cases, the messages themselves are consistent with what we have grown accustomed to seeing from malspam in recent years,” Talos observed. “Many of the messages purport to be associated with various financial transactions & contain links to files claiming to be invoices, purchase orders & other documents of interest to potential victims.”
Messages were given by attackers in various languages, including English, Spanish, French, German & Portuguese, they added.
Additional Bugs
CDNs are also handy tools for cyber-criminals to deliver additional bugs with multi-stage infection tactics. The researchers saw this behaviour across malware, adding that one Discord CDN search turned up almost 20,000 results in Virus Total.
“This technique was frequently used across malware distribution campaigns associated with RATs, stealers & other types of malware typically used to retrieve sensitive information from infected systems,” the Talos team explained.
Registry Run Entries
The team used this screenshot to illustrate this type of attack on Discord, showing a first-stage malware tasked with fetching an ASCII blob from a Discord CDN. The data from the Discord CDN is converted into the final malicious payload & injected remotely, the report explained.
“As is common with Remcos infections, the malware communicated with a command-&-control server (C2) & exfiltrated data via an attacker-controlled DNS server,” the report added. “The attackers achieved persistence through the creation of registry run entries to invoke the malware following system restarts.”
In another campaign using AsyncRAT, the malware downloader looked like a blank Microsoft document, but when opened used macros to deliver the bug.
C2 Communications
The Discord API has turned into an effective tool for attackers to exfiltrate data from the network. The C2 communications are enabled through webhooks, which the researchers explained were developed to send automated messages to a specific Discord server, which are frequently linked with additional services like GitHub or DataDog.
“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel & all without using the actual Discord application,” they outlined. The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network, they added.
Level of Anonymity
“The versatility & accessibility of Discord webhooks makes them a clear choice for some threat actors, states the analysis: “With merely a few stolen access tokens, an attacker can employ a truly effective malware campaign infrastructure with very little effort. The level of anonymity is too tempting for some threat actors to pass up.”
This communication flow can also be used to alert attackers when there are new systems available to be hijacked and delivers updated information about those they have already infiltrated, Talos suggested.
Ransomware & Discord
The team also noticed campaigns linked with Pay2Decrypt LEAKGAP ransomware, which used the Discord API for C2, data exfiltration & bot registration, in addition to Discord webhooks for communications between attacker & systems.
“Following successful infection, the data stored on the system is no longer available to the victim & the following ransom note is displayed,” the report observed. They provided a screenshot of the ransom note received by users after infection:
Discord generates an alphanumeric string for each user, or access token, according to Talos, which attackers can steal to hijack accounts, they added they saw this frequently targeting online gaming.
Discord Token-Stealers
“At the time of writing, Discord does not implement client verification to prevent impersonation by way of a stolen access token,” explained Talos. “This has led to a large amount of Discord token-stealers being implemented & distributed on GitHub and other forums.
In many cases, the token stealers pose as useful utilities related to online gaming, as Discord is one of the most prevalent chat & collaboration platforms in use in the gaming community.”
These accounts are then used to anonymously deliver malware & for social-engineering purposes, they add.
How to Mitigate
The solutions, much like the threats themselves, need to be multi-faceted, according to experts. But the primary responsibility to put more security in place is on the platforms themselves, according to Oliver Tavakoli, CTO of Vectra.
“This trend will continue until suppliers of such collaboration tools put more effort into providing more policy controls to lock down the environment and add more telemetry to monitor it,” Tavakoli explained. “It will also require security vendors to step up & use the telemetry to detect and block attacks within these communication channels.”
On the business side, Mark Kedgley, CTO at New Net Technologies, recommends focusing on user privileges.
Vulnerability Management
“To mitigate the risks, more focus on least privilege is needed, as it’s still too common for users to run with local admin rights,” Kedgley recommended. “Email & office applications provide a number of hardened settings to combat malware & phishing; however, not enough organisations make use of them. Change control & vulnerability management as core security controls should be in place as well.”
How can a business or any user be expected to stay on top of all the communications channels today’s workers are trying to maintain? Simplification is 1 way to narrow the attack area & make it reasonable for users to be careful of security, Chris Hazelton with Lookout advised.
Users are Overwhelmed
“Most organisations have too many communication tools: email, collaboration & messaging platforms, web conferencing chats, & text messages on phones & tablets,” Hazelton concluded.
“This means users are overwhelmed as they communicate with different or sometimes the same people across multiple platforms. This leads to lesser awareness of risks in sharing across collaboration platforms & other communications tools.”
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/
