Introduction
Since the onset of the pandemic, the internet has become a central part of our lives. People of all ages turned online for school and work, to stream videos, to play video games, have virtual get-togethers, shop, talk to their doctor, and engage in any number of other activities.
During 2020, research showed a sharp increase in game downloads, and this activity did not go unnoticed by cybercriminals. Attackers have often exploited the popularity of certain games (Among Us was a recent example) to lure players into downloading fake versions that served malware. Recently, the Zscaler ThreatLabZ team noticed new campaigns in which cybercriminals are targeting gamers.
The key findings of our research include:
- Multiple campaigns relying on the cdn.discordapp.com service for their infection chain.
- Cybercriminals are using Discord CDN to host malicious files as well as for command-and-control (C&C) communication.
- Malicious files are renamed as pirated software or gaming software to trick gamers.
- File icons are also related to gaming software to trick gamers.
- Multiple categories of malware are being served through the Discord app’s CDN infrastructure - ransomware, stealers, and cryptominers.
The attack usually starts with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. It’s worth noting, however, that using Discord to host payloads is not new. This campaign uses Discord services to form a URL to host malicious payloads as follows: https://cdn.discordapp.com/attachments/ChannelID/AttachmentID/filename.exe
Figure 1: Malicious files blocked in the Zscaler cloud served via cdn.discordapp.com
Technical Analysis
Discord is a chat application that allows users to chat with each other in real time. Users can communicate with voice calls, chat messages, and video calls as well as send files to one another. But attackers also use Discord, often to distribute malicious files and steal information. This CDN service was actually started as a content distribution network for serving static content to users, but it has revealed some considerable risks. For example, an attacker can upload a malicious file on a Discord channel and share its public link with others—even non-Discord users can download it. Worse, a file sent from Discord is there forever, so even if an attacker deletes a file within Discord, its link can still be used to download the malicious file.
Figure 2: Infection chain of different malware on cdn.dscordapp.com
We have seen multiple payloads being used in recent campaigns, primarily consisting of these four:
- Epsilon ransomware
- Redline stealer
- XMRig miner
- Discord token grabbers
Epsilon Ransomware
(MD5: f509bd9e1fbd7721c95d0d19ba317b03)
We have analyzed the Epsilon ransomware loader in which execution starts with dropping an .inf file and .exe file in the Windows/Temp folder.
The dropped payload performs the following actions upon execution.
Figure 3: Payload functionality
- persistence() - Establishes persistence on the victim machine
- encryptionStage() - Encrypt files
- wallpap() - Download ransom image from Discord
- extract() - Download ransom note from Discord
- sapi() - Display ransom note
- x3() - Delete shadow copy(Recovery File)
- clearmem() - Clean Memory
- Exit() - Quit application
The malware establishes persistence by creating the follow registry key on the victim's machine:
Figure 4: Run key entry for persistence
It will enumerate through the the system drives to encrypt the files using double encryption. First, it encrypts the files with AES encryption using a randomly generated 32-bit key. Then, those encrypted files will again be encrypted with the RC4 algorithm with a randomly generated 256-bit key.
Figure 5: Searching drives for file encryption
The custom AES algorithm using 256-bit encryption.
Figure 6: Custom AES algorithm
It also uses custom RC4 encryption that has a 2048-bit variable-length key, whereas actual RC4 encryption uses a 256-bit variable-length key.
Figure 7: Custom RC4 algorithm
It downloads the ransom note image from the cdn.discordapp.com link to show on the victim’s machine upon successful encryption.
Figure 8: Downloading READ_ME.hta file
The ransom note contains an email ID EpsilonCrypt@tutanota[.]com to communicate with the attacker for further information on payment and decryption key/software. There is no C&C used by this ransomware variant.
Figure 9: Epsilon ransomware note with email ID to contact attacker
The ransomware deletes the shadow copies as well as the catalog to prevent victim from recovering the original files which are now encrypted.
Figure 10: Deleting shadow copy and catalog
Redline Stealer
(MD5: 67A29EF483B6A9485269D5B15A900119)
The next file we saw during our analysis is a Redline stealer. This stealer has been available on Russian underground forums since the first quarter of 2020 and is fairly new. It’s available as a standalone application and on a subscription basis with prices ranging from $100 to $300, depending upon the version and capabilities. We have seen multiple samples of the Redline stealer blocked in the Zscaler cloud sandbox, and below is our analysis of a recent sample written in .NET.
Redline Stealer Functionalities
- Collects login and passwords, cookies, autocomplete fields, credit cards
- Data collection from FTP clients, IM clients
- Customizable file-grabber based on path, extension
- Customizable to not work in a country that is on a denylist
- Collects information from the victim's machine: IP, country, city, current username, HWID, hardware information (video cards, processors), screenshot, screen resolution, keyboard layout, operating system, UAC settings, administrative privileges, user-agent, installed antiviruses
- Downloads file from the URL to a specified location on the victim's machine
- Process injection
- Download and execute the file
- Supports all browsers based on Chromium
- Supports all Gecko-based browsers
Execution starts with dropping a copy of itself into the AppData/Roaming folder. Unpacked binary shows the author making use of several popular gaming application names for internal functions.
Figure 11: Redline stealer .NET function names using popular gaming applications.
The stealer is capable of collecting data form several FTP and IM clients installed on the victim's machine as seen below:
Figure 12: Data collection from FTP clients, IM clients
Figure 13 shows a module that is responsible for collecting information from browsers, such as stored cookies and credit card information.
Figure 13: Stealing credit card info
In addition to the functions to grab data from browser, FTP, and IM clients, the malware also steals victim's cryptocurrency wallet and collects victim's geolocation, hardware information, and Client IP address.
SOAP over HTTP for C&C
Redline stealer uses SOAP over HTTP for C&C communication. The malware is developed in .NET framework where the use of SOAP becomes very easy and also provides the additional advantage of being independent of an underlying protocol.
Figure 14: Getting config setting from C&C
All the data being collected according to configuration settings is sent back to the C&C server.
Figure 15: Sending stolen client info
After sending the collected data to the C&C server, the stealer is tasked with downloading and executing additional payloads based on the victim's machine information.
Figure 16: Receiving a task from the C&C server
The remote task action module is used to download and execute the files as instructed by the C&C server.
Figure 17: Remote task action
XMRig miner
(MD5:41F5CF39159295CFECE4D6B37BEB2D6D)
The next malware we have been seeing in this ongoing campaign is XMRig miner. The miner’s execution starts by dropping a copy of itself at
%ProgramData%\RealtekHDUpdater\realtekdrv.exe.
The malware also changes the file permissions using the following command:
- %ProgramData%\RealtekHDUpdater" & ATTRIB +h +s +r
- %ProgramData%\RealtekHDUpdater\cuda-helper.dll"& ATTRIB +h +s +r
- %ProgramData%\RealtekHDUpdater\nvrtc-builtins64_100.dll"& ATTRIB +h +s +r
This is done to use the miner capabilities without user permissions.
The malware connects to C&C server using the following command:
- Cmd open (class="de1">)(.*)(</div></li>).https://pastebin(.)com/VKRXfjxX, which yields shgsqfdzin.000webhostapp.com.
Notice the usage of PasteBin URL to store the C&C server location.
The malware then creates a scheduled task:
- /CREATE/SC MINUTE /MO 1/TN "Realtek Updater"
The miner also tries to delete some programs that can be used to detect the miner or impact its efficiency, such as games.
The following is the list of programs the miner tries to delete:
Process Hacker, Task Manager, Windows, Windows Task Manager, AnVir Task Manager, Taskmgr.exe, taskmgr.exe, procexp64.exe, procexp32.exe, perfmon.exe, procmon.exe, csgo.exe, dota2.exe, RainbowSix_Vulkan.exe, RainbowSix.exe, FortniteClient-Win64-Shipping.exe, EscapeFromTarkov.exe, Rust.exe, VALORANT.exe, Overwatch.exe, gta_sa.exe, GTA5.exe, Radeon, NVIDIA GeForce
After this, the miner is launched using the following Monero address:
4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQswVtyKcWBsLoeY6A2
Discord token grabbers
(MD5:5dd2400c3b6e3178eedde22c2427fda9)
Cloud apps have become a mainstay for gamers just as they have for business and individual users. Cloud apps are great for interactivity, but they can also be leveraged for malicious attacks. The Discord token grabber is a broad term used to describe attacks that use Discord tokens to steal user information.
In this case, the stealer uses Discord app to steal data from the user and send it to a predetermined C&C server. Below is the screenshot of token grabber code extracted from a recent payload:
Figure 18: Stealer code
Here, the program collects user information, for example, Environment.UserName, and sends it over using a webhook defined in the dcWebHook.WebHook variable.
Figure 19: JSON response when the URI is visited
TroubleGrabber
(MD5: 2c178066d48d69dd56923343d338a376)
This is a known stealer that uses Discord tokens to steal and send user data to its C&C. This stealer both spreads and communicates through Discord app, using Discord URLs for attachments like cdn[.]discordapp[.]com/attachments/[0-9]{18}/[0-9]{18}/Nameofattachment.rar.
The name of the attachment can vary from being the name of a software application used by most users or cracked versions of games or tools, such as Discord Server Tool.exe, Galaxy Security Panel.exe, Vron Software.exe, CrackHub 2021.exe, or Vape V4 Cracked.exe.
TroubleGrabber fetches payloads from https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator to begin its next stage after being executed in the victim's machine.
These files are as follows:
https://cdn[.]discordappp[.]com/attachments/797230131218874430/797241057136869446/sendhookfile[.]exe
https://raw.githubusercontent.com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer2[.]vbs
https://cdn[.]discordapp[.]com/attachments/797230131218874430/797241059254992916/Token_Stealer[.]bat
https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/raw/master/AVOID%20ME/WebBrowserPassView[.]exe
https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/raw/master/AVOID%20ME/curl[.]exe
Coverage
The malware payloads observed in these campaigns were successfully blocked by the Zscaler Cloud Sandbox.
Figure 20: Zscaler Cloud Sandbox report of Epsilon ransomware
Figure 21: Zscaler Cloud Sandbox report of Redline stealer
Figure 22: Zscaler Cloud Sandbox report of XMRig miner
Detections:
Conclusion
Discord is primarily a chatting platform built for gamers and is becoming increasingly popular among other professional communities for sharing information. We’re observing an increase in the usage of the Discord app to deliver malicious files by attackers. Due to the static content distribution service, it is highly popular among threat actors to host malicious attachments that remain publicly accessible even after removing actual files from Discord.
The Zscaler ThreatLabZ team will continue to monitor Discord-based malware campaigns to share the information with the community and to keep our customers safe.
MITRE ATT&CK:
ID |
Tactic |
Technique |
T1078 |
Valid Accounts |
It uses valid account to access email |
T1107 |
File Deletion |
Self delete |
T1204 |
User Execution |
User interaction |
T1268 |
Conduct social engineering |
Uses social eng to install payload |
T1489 |
Service Stop |
Stop critical services |
T1528 |
Steal Application Access Token |
Steal access token for valid account |
T1490 |
Inhibit System Recovery |
Delete shadow copies on a system |
T1222 |
File Directory Permissions Modification |
Change directory permission to hide its file |
T1555 |
Credentials from password store |
Steal stored password |
T1056 |
Keylogging |
Keylog of infected machine |
T1055 |
Process Injection |
Inject code into other process |
Indicators of Compromise
MD5 |
Malware Name |
Malicious URLs / C&C |
f509bd9e1fbd7721c95d0d19ba317b03 |
Epsilon Ransomware |
https://cdn.discordapp[.]com/attachments/599226424695455755/800470210456846366/TaskHostHelper.exe |
77d69cda0eebcd83f3a5e48d5f46a0d6 |
Epsilon Ransomware |
https://cdn.discordapp[.]com/attachments/599226424695455755/800087465523675176/65QEF.bmp |
384c8470e59de327922bc5b8bc70c5f7 |
Epsilon Ransomware |
https://cdn.discordapp[.]com/attachments/599226424695455755/798932401216552974/READ_ME.hta |
efd0d1bd1e2bd38644a856707e0736ee |
Redline Stealer |
hxxps://cdn.discordapp[.]com/attachments/789938122951098380/791391319288184832/Outwith.exe |
67a29ef483b6a9485269d5b15a900119 |
Redline Stealer |
https://cdn.discordapp[.]com/attachments/791427246031241270/797113668583948288/UpdaterMicrosoft.exe |
4f5a53d149b343503c090601552468b1 |
XMRig Miner |
hxxp://cdn.discordapp[.]com/attachments/789938122951098380/791391327693832202/frost-miner-pro-v1.2.exe |
add4a9d06d21a044336462ff9871739f |
XMRig Miner |
hxxp://cdn.discordapp[.]com/attachments/553272395977195520/792811479073292298/crypted.exe |
55c481a5eb77786ea4a12f8509301272 |
XMRig Miner |
hxxps://cdn.discordapp[.]com/attachments/553272395977195520/792811479073292298/crypted.exe |
b6d5b390d8248e95810e7af2e92faf5b |
XMRig Miner |
hxxps://cdn.discordapp[.]com/attachments/553272395977195520/797581786623901706/Summerset.exe |
2c178066d48d69dd56923343d338a376 |
Trouble Grabber |
https://cdn.discordapp[.]com/attachments/799044673527611392/799045065116221490/Token_Stealer.bat |
5dd2400c3b6e3178eedde22c2427fda9 |
Discord Token Grabbers |
http://207.32.216[.]211/peepee.exe |