Researchers have disclosed how cybercriminals abuse Discord as part of a popular attack chain employing a new SYK Crypter. The crypter can evade behavior and signature-based security controls.
SYK Crypter and Discord
According to Morphisec, the attack chain shows an evolution of how threat actors abuse Discord's Content Delivery Network (CDN).
The campaign began with targeted phishing emails aimed at organizations in different sectors.
To bait new victims by using a phishing email, attackers present the malware as a purchase order using file names such as New_Order_*[.]exe, AMAZON_ORDER*PDF[.]ex, and Purchase Order[.]exe.
The attack chain has two main components; a .NET loader (DNetLoader) and a .NET crypter (SYK Crypter).
The crypter spreads many malware families, including WarzoneRAT, AsyncRAT, QuasarRAT, NanoCore RAT, RedLine Stealer, and njRAT.
Discord as the popular attack surface
The increasing number of people using the community chat platform attracts a growing number of cybercriminals too. Discord has become a common platform for disseminating malware and attacks, as stated below.
OpenSea, a well-known marketplace for buyers and sellers of NFTs, disclosed information regarding a vulnerability in its Discord support channel, allowing spam bots to post phishing links to other users.
Further, researchers have discovered a malware builder, KurayStealer, to steal credentials and then ping them to Discord webhooks. A Discord user (Portu) advertises the malware builder.
Stay safe
Organizations should adopt zero trust architecture instead of using static malware solutions based on known behaviors or signatures. Further, users of chat platforms should always stay alert and follow standard security practices.