Advanced Persistent Threats (APT) have been observed abusing Discord to target critical infrastructure in Ukraine and steal sensitive data.
This is according to a new report from Trellix, whose researchers said this was the first time an APT (which are usually state, or state-sponsored groups) abused the popular communication and collaboration platform to exfiltrate information.
According to the report, an unnamed threat actor was engaged in a phishing attack, in which it distributed a OneNote file named “dobroua.one” – a typosquatted name of the Ukrainian non-profit organization dobro.ua. The file urged the reader to make a donation to the Ukrainian cause and offered a button named “Support”. Clicking it runs an embedded Visual Basic Script (VBS) which, after a few steps, starts exfiltrating data via Discord’s webhook.
Highly targeted attacks
On Discord, a webhook is a utility designed to send messages to text channels without the need for the Discord application. It is also an automation feature that, in this particular instance, allows the attacker to send files and other data stored on the victim’s machine.
Trellix believes the attack is highly targeted, as in its telemetry it hasn’t seen any further related samples. “This suggests the attack was targeting only the Ukrainian critical infrastructure organizations where the sample was recovered, and any further stages apart from the ones described could not be retrieved,” they explained.
It’s also worth mentioning, the researchers say, that the campaign was probably in its earlier stages, as the final payload was all about gathering system information. “The actor could deliver a more sophisticated piece of malware to the compromised systems in the future by modifying the file stored in the GitHub repository,” the researchers warn.
One of the reasons Discord isn’t being used by APTs on a bigger scale is the lack of complete control over the C2 server. Should they be compromised, Discord can terminate their account at any time, potentially cutting off access to any sensitive information they might have obtained in the meantime.
Via BleepingComputer