Are you using Atlassian? Better read this

Research

Discord – Fundamentals and Threats

Introduction

In a world where more and more communities and businesses are based on instant messaging applications, it is just a matter of time before instant messaging takes the spotlight away from the traditional social media and commerce platforms. Instant messaging applications are more convenient than conventional forums and social media groups. However, the instant messaging realm is also divided into different application types and purposes. And some applications may also be embedded with hidden malicious intents.

Most people are familiar with WhatsApp and Telegram, even though these two applications are just the tip of the iceberg. The Discord instant messaging application is probably not the mainstream platform for the average user initiating communications. It contains multiple unique capabilities, which serve the gaming and cryptocurrency sectors. It is quite the same as how the internet works: A user might use services for specific goals and serve a particular need using unique features, while using attributes that can also be manipulated into malicious activity without the user’s involvement.

These multiple chat apps have been one of the most interesting online spaces where people of all demographics and interests can congregate. People who value privacy and the protection of their conversations from third parties have flocked to Telegram and Discord for one-on-one and group chats.

As the communities maintain their high growth rates, it is just a matter of time before the platform starts trickling down into the mainstream, and other communities begin sharing data and monetizing their activities. Growth must be accompanied by proper defensive actions provided by Discord itself to prevent threat actors from gaining profit at the expense of legitimate users.

Tweet about joining the Discord NFT Community
Figure 1: Tweet about joining the Discord NFT Community

How Discord Works

Most of the daily usage of an average instant messaging user may include private messaging, multiple channels that allow group chats, and news feed/broadcast channels to track the news and other interests directly and in real-time.

The Discord Channel works in an environmental context called Servers, where each server contains its channels, both for text and voice calls. Each server has its own culture and rules that members must observe. Server administrators and staff members can ban or kick out any rulebreaker.

Currently, the most cutting-edge technology in general use are the bots. This is not enough for Discord, which allows way more than that − the platform allows a user to create a bot with more capabilities. Some services, such as the top.gg, will enable developers to offer their bot in a dedicated marketplace. Once a server owner desires a specific bot, they can just import it directly to their server and configure the bot as they wish.

Servers

A Discord server is made up of channels via which server members can communicate with each other through text, voice, or video options, such as sharing their computer screens. The Discord server can be set up as its own private or public server for exchanging ideas, news, or interests. You can even give yourself a different nickname for each server you join. A single server can have up to 500,000 members, although if more than 25,000 are online simultaneously, the owner must contact Discord support for more server space to avoid connection errors.

Public Discord Servers in top.gg
Figure 2: Public Discord Servers in top.gg

Channels

A Channel lets friends chat either one-to-one or as a group via a server. You can use the server to send direct messages to friends, have video calls with them, voice chat, and screen share. Once you are on a server, you can join a voice chat channel to talk to other members. This feature was initially created for gamers playing specific games and sharing their experiences.

Discord servers (in red) and channels (in blue) structure
Figure 3: Discord servers (in red) and channels (in blue) structure

Bots

Each server owner can add bots on Discord quite quickly. The bots have various roles in the group messaging platform, and their artificial intelligence can automatically perform several functional tasks on a server. This includes welcoming new members, banning troublemakers, and moderating discussions. Some bots even add music or games to your server.

Encryption

Discord is encrypted with HTTPS, and although data is encrypted while in transit, Discord does not use end-to-end encryption. The Discord site is secure, performs regular security updates, and requires a secure password to create an account, so personal information is protected.

Users

Every Discord user has a unique four-digit “discriminator”, shown as a four-digit number, prefixed with “#”, after their username. This allows for multiple users to have the same username and for users to find friends quickly.

Roles and Hierarchy

The advanced hierarchy contains multiple management roles, from owners and bots to moderators and simple users. The Discord platform lets a server owner a great agility in hierarchy structures creation.

Role creation in Discord
Figure 4: Role creation in Discord

Discover

A user can try and find communities through the Discover option. This will reveal new communities they might be interested in or oppose.

Main Discord Communities

Discord, released in May 2015 and initially designed for creating communities mainly for gamers, became an excellent platform for education, crypto and businesses. Its great success in the gaming domain led to integration with Xbox Live and PlayStation Network, which allowed Discord users to import their gaming contacts. The Discord platform specializes in text, image, video and audio communication between users in a chat channel.

Some Discord servers are public, which means anyone can join. They also have verification processes to prevent spammers from entering.

Discord mainly contributes to three large communities:

Gaming

of its over 140K Servers, is a hint that the platform was initially launched as a social platform for gamers. A gamer can find generic gaming servers, covering multiple games and often other types of popular culture, however, many servers on Discord are devoted to a particular game. Official gaming providers run and operate on behalf of the relevant gaming company. Others are unofficial groups, often full of ardent gamers keen to discuss a game’s latest features and gameplay.

Roblox Server on Discord
Figure 5: Roblox Server on Discord

NFT, CryptoCurrency And Web3

The Cryptocurrency community found a home on the Discord platform. The crypto Discord server is an online community where users can discuss crypto-related news, transactions, and plans. The communities contain around seven million active servers. Most cryptocurrency servers, however, are private. These private servers tend to keep the information among members of their community only.

These servers are typically used as a place for interaction and as a source of information for those curious about trending topics. They also act as marketplaces for trading NFTs. This has given rise to entire art communities in the digital realm, where NFT artists meet investors and collectors.

Discord’s permission infrastructure creates a natural habitat for the NFT communities, this is where the Decentralized Autonomous Organization (DAO) comes into action. DAO is a community-led entity with no central authority. A user only needs to trust the DAO’s code, which is entirely transparent and verifiable by anyone. DAO model implementation lets the NFT community grow and prosper on the Discord platform.

One known NFT project with a dedicated server is the Bored Ape Yacht Club’s Discord server. In early June 2022, the community fell victim to a phishing attack, which manifested itself as a misleading giveaway being used to steal NFTs and cryptocurrency worth several hundreds of thousands of U.S. dollars. The attackers exploited the trust of the users by posing as community managers, such issues highlights the damage and influence that can be done when threat actors infiltrate the private environment of Discord communities.

Educational

One of the common use-cases is the educational servers. During the Covid-19 pandemic, schools were challenged with finding digital solutions for collaborating with their students. Some teachers created Discord servers for classes to interact digitally, and students formed their learning groups on the platform. Discord was thus able to significantly expand its reach.

Discord Traffic and Users

Since its establishment in 2015, active users have kept increasing. Discord’s current traffic is 150M monthly active users with 1.2B visits per month.

The platform is currently included in the top five social media platforms worldwide. Most users originate in the U.S, the Philippines, Brazil and India. Most users are aged 24 and lower; the platform permits usage from the age of 13.

Discord Users Volume in Millions

Threats, Bots, and bots Manipulation

As mentioned in the previous sections, bots play a significant part in community management; they help the operators keep their environment safe and sound. The nature of bots creation in Discord is open source, meaning that developers can monetize their skills while creating effective bots implemented within the servers and channels. For the normative user, following the server bot’s instruction goes without saying. If the bot is compromised, it could lead to extensive infection of users via phishing attacks and malware distribution.

In February, the popular NFT platform OpenSea was also successfully phished, with approximately $1.7 million in digital assets stolen from multiple site users. This attack took advantage of a previously unknown vulnerability in the smart contracts that underpinned NFTs, duping OpenSea users into signing “smart contracts” that served as blank checks to drain their accounts.

Top 5 Bots According to top.gg
Figure 7: Top 5 Bots According to top.gg

Mee6

MEE6 is a Discord bot widely used by Crypto and NFT projects. A hack of the Mee6 bot used to moderate Discord channels led to scam messages being sent in multiple communities, with the threat actors posing as one of the owners of the game in the case of the Axie Infinity incident.

Along with Axie Infinity, the compromise of the Mee6 Discord bot led to spam messages in several other NFT services: the 9GAG-backed Memeland series, Nike-owned RTFKT and CLONEX, Phantom Network (PXN) and the Proof platform’s Moonbirds series. An additional related incident involves the Web3 infrastructure of a social graph protocol named CyberConnect, which was compromised via a Discord bot that began sending malicious links to users infected with malware.

Dyno

Dyno is another bot that allows the server owner to manage and operate the server with fully customizable server moderation via a dashboard. Server management just got a whole lot easier. Dyno is used on over 7.4 million servers. Last May it was reported that hackers misused Dyno to perform verification on a fake domain.

Dyno misuse as appeared on Reddit
Figure 8: Dyno misuse as appeared on Reddit

Carl-Bot

OpenSea, the primary marketplace for NFT buyers and sellers, reported last May about an issue in their Discord channel related to a potential vulnerability. A bot called Carl-bot, which was active on the channel, shared an announcement regarding partnering with YouTube and a limited-time giveaway to the first registrations. The announcement was followed by a link to a phishing website – youtubenft[.]art. No need to mention that this message contained classic phishing and scamming attributes.

OpenSea tweet regarding the incident
Figure 9: OpenSea tweet regarding the incident
Carl-bot Phishing scam as appeared on the OpenSea channel
Figure 10: Carl-bot Phishing scam as appeared on the OpenSea channel

Discord As an Alternative

During the past year, the Cyberint Research Team detected an increased shift from Darknet forums chats to Discord and dark services consumption. Over the past months, we have seen a significant rise in this shift. At the same time, over 60K records involved redirection from darknet sources and cybercriminal platforms to Discord channels and servers—currently, threat actors are utilizing darknet forums for advertising their Discord communities.

Darknet on Discord as detected by Argos platform
Figure 11: Darknet on Discord as detected by Argos platform
Advertisement in Breached.to redirecting to a Discord channel
Figure 12: Advertisement in Breached.to redirecting to a Discord channel

The numbers are dramatic. The number of mentions from multiple sources, including instant messaging platforms regarding Discord groups, increased by 412% in the past year.

Total Discord mentions in Forums and IM platforms
Figure 13: Total Discord mentions in Forums and IM platforms

Moreover, reviewing Telegram chats solely, the transitioning shows even a higher transition rate among users who use Discord in parallel to their Telegram channels, or even fully transition from Telegram to Discord. While in June 2021, there were hundreds of such messages, one year later in June 2022 we witnessed over 10K of messages that included transitioning information, a 4424% increase in one year.

Total Discord mentions in Telegram 
Figure 14: Total Discord mentions in Telegram

Discord As A Malware breeding Surface

With remarkable similarity to Telegram and Whatsapp, Discord is a significant breeding ground for malware and phishing campaigns for a couple of reasons: the first is the excellent monetization that can be gained from the users on the platform, the second is the lack of supervision as the platform add-ons are open source without any significant verification from the corporate side of Discord. It was revealed hackers launched several malware attacks against Discord in 2021. Over 20 distinct types of malware have been discovered, and cybercriminals distribute them using various methods.

Malicious Discord RAT Bots offered in darknet forums
Figure 15: Malicious Discord RAT Bots offered in darknet forums

Another major issue with the lack of surveillance by the server operators or Discord itself, is the use of bots for various other malicious activities, starting with sending spam messages, as we previously saw in the bots section, through to complex schemes that have emerged since the start of 2022. An attack launched in April on the Instagram account of the Bored Ape Yacht Club (BAYC) was similar to the Discord bot attack in that the hacker used a breach to announce a fake minting of new NFTs. Still, the attacker stole over $3 million in sought-after monkey images by convincing account followers to connect their crypto wallets. And even though they were separate issues involving different Discord bots, BAYC’s Discord was hacked in February and early April. One of these incidents involved the theft of a Mutant Ape Yacht Club NFT worth approximately $69K.

Main types of discord malware and Hacks

Installation file manipulation: An Intentionally infected Discord installation file, which is difficult for an average user to detect.

Remote access Trojans: Cybercriminals distribute remote access trojans(RATs) through phishing links. Threat actors create accounts to spread malware and utilize the platforms’ capability of permanent file hosting. After generating a Discord-specific URL to spread the malware, they can delete their accounts and the link remains active. Even if a user no longer uses Discord, the content is still hosted by the Discord content distribution network (CDN). Furthermore, even without having a Discord account, a victim could click on the Discord-related link and be exposed and infected by the malware.

NitroHack: Discord Nitro is a paid Discord membership that grants access to special emojis from every server a user is a part of: stickers, a unique Discord number tag, animated avatars, and other features. Malware known as NitroHack entices victims by offering free access to the premium Discord tier. Instead, it collects the cached browser information, including credit card data, and the tokens of Discord users. NitroHack transforms the Windows client for Discord into a Trojan. The scam for free premium access is then repeated to continue and fool users.

MosaicLoader: A malware threat called MosaicLoader frequently causes havoc by imitating file information from the genuine software. Furthermore, the payload technique frequently simultaneously infects the targeted system with many malware strains. The malware uses legitimate Discord links, however, it is related to cookie stealers, which could exfiltrate login data from sites such as Facebook, enabling account takeovers by malicious parties.

Discord Hack Tool Pack offered for sale in Darknet Forum
Figure 16: Discord Hack Tool Pack offered for sale in Darknet Forum

Discord as a Dropzone and C2

Malicious files distributed through Discord represent a permanent threat. A threat actor can upload a malicious file to the platform and use the platform as a Dropzone/C2. Sharing files through Discord is very easy. Every file uploaded to the platform is assigned a permanent URL, formatted as follows:

cdn.discordapp.com/attachments/{channel ID}/{file ID}/{file name}

Most files are freely available for download by anyone with the link. Some of the instances include a Dropzone that will be implemented in a fake website offering Zoom Web conferencing client downloads. The website looks real, and the malicious file is hosted on a Discord server. This gets around restrictions on downloading files from untrusted sources. The rationale is that the servers of a popular application used by millions are less likely to be blocked by antimalware solutions.

Current Active Threats

The Cyberint Research Team investigated how many active malicious files use discord links as a dropzone and C2 communication. The numbers are impressive – in the last 90 days, nearly 9K different malicious files were detected utilizing the Discord technique. The malicious files vary from portable executable files, compressed RAR and Zip Files, VBS, etc.

If a malicious file would like to communicate with Discord-based C2, it will be a complex task to monitor and block due to the TLSV3 encryption used in the application alongside legitimate activity.

Bot as a Malware

Multiple GitHub repositories can deploy a malicious bot that will allow the attacker to take over a Discord server fairly quickly. One example is the Possum Bot, an adorned well-known bot with over 180 stars in its GitHub Repository. The bot, written in Javascript, can be installed quickly and easily. The bot offers multiple commands such as getting admin permissions and banning everyone on the server.

Possum Bot GitHub Account
Figure 17: Possum Bot GitHub Account

As the bots are created by third parties and can be stored in open-source repositories such as GitHub, the exposed code yields many bots stored online and might be cloned and modified for malicious use. There are over 150K repositories of Discord Bots within the GitHub service.

Additional example of chat-related malicious code was recently published on GitHub: Using mainly capabilities provided by the Discord API, the author could execute arbitrary code on a user’s computer.

Multiple features including Discord RAT published on GitHub
Figure 18: Multiple features including Discord RAT published on GitHub

Conclusions

As the world advances toward new types of ecosystems, starting with open-source communities, which let users develop their extensions to decentralized platforms in which every user has the permission to vote and influence the present. Discord offers an accessible platform which can host the current and future communities.

Discord is one of the pioneers to deploy this kind of platform and allow users to take control over their servers and environments. The platform keeps gaining advocates who believe that this is a reflection of what the future ecosystem should look like.

New ideas and revolutionary platforms consist of both opportunities and threats, and this is precisely what can be seen in Discord. On the one hand, legitimate users create amazing communities and let them prosper while followers keep increasing,  and on the other hand, threat actors take advantage of the relatively unsafe platform to manipulate users and steal information, data and money.

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.