Security Experts:

VoIP Service Servers Abused to Host RATs

Free Voice-over-IP (VoIP) service Discord has had its servers abused to host and distribute remote access Trojans (RATs), Symantec warns.

Discord is highly popular among gaming communities, because it is simple and multiplatform, and has been used by more than 11 million people as of July 2016. The service allows users to quickly create groups so that gamers (teams, guilds, clans) can communicate over VoIP (both chat and voice) during a game.

IT security researchers have created servers there, and some users created groups where knowledge is being shared and exchanged on particular topics (some have thousands of members).

As with all popular services out there, Discord attracted hackers as well, some of which have set up servers and invited people to join. Some actors have created servers that are used as a black market for the distribution of malware or stolen data, Symantec reveals.

The service’s chat feature allows users to post messages and links, as well as to embed pictures and videos, and even upload attachments. What’s more, some gamers use the chat channels as documentation boards, since the chat app allows members to upload most types of files.

Cybercriminals are abusing the feature to create servers and post or upload malicious attachments to the chat, and then use it as a download site in second-stage attacks. Other actors can also post malware to a server they were invited to.

According to Symantec, most of the malicious samples they discovered on the service include RATs such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat), yet infostealers, Trojan Horse malware samples, and downloaders were also found being hosted on Discord. The security researchers believe that the malware might have been used in drive-by downloads or social-engineering campaigns.

NanoCore, a RAT that has been around since at least 2013, emerged as the most prevalent malware hosted on Discord's chat servers. Several variations of this malware have been observed early last year, and the RAT’s activity has been continued constantly since then, focusing mainly on the United States, Japan, and Germany.

The malware hosted on Discord is mainly targeting the gaming industry, especially since the app allows users to video stream gaming sessions while hiding sensitive information.

“The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim’s computer. This data can be valuable to attackers just as much as other personally identifiable information (PII), such as users' bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process,” Symantec notes.

After being informed on the manner in which its servers are being abused, Discord’s security team removed the malicious files from the servers’ chat channels. Moreover, the service has added a new virus scan feature that runs on its backend servers whenever an executable or archive file is uploaded.

To stay protected when using Discord, users are advised to avoid downloading or running programs from people they don’t know, to use the service’s permission control features to regulate the server’s users, and restrict users’ permissions to curb abuse on the service, or grant individual permissions for better control.

When joining a Discord server, users should be careful of the content being posted on the chat channels and should never give out personal information to strangers. On their computers, users are advised to install and maintain an anti-malware solution that can protect them from threats, as well as to keep all applications on the machine up-to-date, by applying the latest patches and updates.

Related: Lost Door RAT Promoted via Facebook and Google's Blogspot

Related: Nation-State Actors Use Fileless Tricks to Deliver RATs

view counter
Singapore ICS Cyber Security Conference