Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

VoIP Service Servers Abused to Host RATs

Free Voice-over-IP (VoIP) service Discord has had its servers abused to host and distribute remote access Trojans (RATs), Symantec warns.

Free Voice-over-IP (VoIP) service Discord has had its servers abused to host and distribute remote access Trojans (RATs), Symantec warns.

Discord is highly popular among gaming communities, because it is simple and multiplatform, and has been used by more than 11 million people as of July 2016. The service allows users to quickly create groups so that gamers (teams, guilds, clans) can communicate over VoIP (both chat and voice) during a game.

IT security researchers have created servers there, and some users created groups where knowledge is being shared and exchanged on particular topics (some have thousands of members).

As with all popular services out there, Discord attracted hackers as well, some of which have set up servers and invited people to join. Some actors have created servers that are used as a black market for the distribution of malware or stolen data, Symantec reveals.

The service’s chat feature allows users to post messages and links, as well as to embed pictures and videos, and even upload attachments. What’s more, some gamers use the chat channels as documentation boards, since the chat app allows members to upload most types of files.

Cybercriminals are abusing the feature to create servers and post or upload malicious attachments to the chat, and then use it as a download site in second-stage attacks. Other actors can also post malware to a server they were invited to.

According to Symantec, most of the malicious samples they discovered on the service include RATs such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat), yet infostealers, Trojan Horse malware samples, and downloaders were also found being hosted on Discord. The security researchers believe that the malware might have been used in drive-by downloads or social-engineering campaigns.

NanoCore, a RAT that has been around since at least 2013, emerged as the most prevalent malware hosted on Discord’s chat servers. Several variations of this malware have been observed early last year, and the RAT’s activity has been continued constantly since then, focusing mainly on the United States, Japan, and Germany.

Advertisement. Scroll to continue reading.

The malware hosted on Discord is mainly targeting the gaming industry, especially since the app allows users to video stream gaming sessions while hiding sensitive information.

“The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim’s computer. This data can be valuable to attackers just as much as other personally identifiable information (PII), such as users’ bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process,” Symantec notes.

After being informed on the manner in which its servers are being abused, Discord’s security team removed the malicious files from the servers’ chat channels. Moreover, the service has added a new virus scan feature that runs on its backend servers whenever an executable or archive file is uploaded.

To stay protected when using Discord, users are advised to avoid downloading or running programs from people they don’t know, to use the service’s permission control features to regulate the server’s users, and restrict users’ permissions to curb abuse on the service, or grant individual permissions for better control.

When joining a Discord server, users should be careful of the content being posted on the chat channels and should never give out personal information to strangers. On their computers, users are advised to install and maintain an anti-malware solution that can protect them from threats, as well as to keep all applications on the machine up-to-date, by applying the latest patches and updates.

Related: Lost Door RAT Promoted via Facebook and Google’s Blogspot

Related: Nation-State Actors Use Fileless Tricks to Deliver RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.