Research published by Cisco’s Talos division tells us hackers have been using Slack and Discord to hand out malware through links that seem legitimate. Both Slack and Discord have their own way to store uploaded files. Discord links usually start with “cdn.discordapp,” while Slack uses something like “slack-files.com/.” Once malware is uploaded to those platforms, they may look like any other link redirecting to a file within Slack or Discord, but not everything is what it seems.
Hackers have two good reasons to use Discord and Slack file servers: malware is delivered through HTTPS, and the files undergo a compression process that will obfuscate the contents.
It’s worth noting users don’t need to have Discord nor Slack installed to be targeted, since the malware does not reside on the platform or application, but rather hackers are using the CDN links to host the malicious code and appear legitimate. If a user clicks on a link redirecting to where malware is stored and downloads the file, they will become vulnerable.
Users may see the links on various platforms, but email seems to be the most likely. Emails with these links ask users for a transaction or tell about the importance of a particular document that can be accessed through the link. The emails can be written in various languages, including English, Spanish, French, German and Portuguese.
In some cases, downloading the first batch of files is just the “first part of a multi-stage infection process that often includes the delivery of additional binaries.” For example, if the compressed file includes a Word document, opening this same document may trigger a macro that will retrieve the next stage payload hosted within Discord’s CDN.
Hackers are also using Discord and Slack to steal user data. Through the Discord API, hackers can easily exfiltrate sensitive information through webhooks over HTTPS, blending with the rest of Discord’s network traffic.
Increased popularity and familiarity among users, ease of starting a malware campaign, and the anonymity that collaboration platforms offer are just a few reasons for hackers to target them. Next time you see a Discord link from an unsuspecting source, better think twice about its legitimacy.