Superior Persistent Threats (APT) have been noticed abusing Discord to focus on essential infrastructure in Ukraine and steal delicate knowledge.
That is based on a brand new report from Trellix, whose researchers stated this was the primary time an APT (that are normally state, or state-sponsored teams) abused the favored communication and collaboration platform to exfiltrate info.
In keeping with the report, an unnamed menace actor was engaged in a phishing assault, by which it distributed a OneNote file named “dobroua.one” – a typosquatted title of the Ukrainian non-profit group dobro.ua. The file urged the reader to make a donation to the Ukrainian trigger and supplied a button named “Help”. Clicking it runs an embedded Visible Fundamental Script (VBS) which, after just a few steps, begins exfiltrating knowledge by way of Discord’s webhook.
Extremely focused assaults
On Discord, a webhook is a utility designed to ship messages to textual content channels with out the necessity for the Discord software. It is usually an automation function that, on this specific occasion, permits the attacker to ship recordsdata and different knowledge saved on the sufferer’s machine.
Trellix believes the assault is extremely focused, as in its telemetry it hasn’t seen any additional associated samples. “This means the assault was concentrating on solely the Ukrainian essential infrastructure organizations the place the pattern was recovered, and any additional levels other than those described couldn’t be retrieved,” they defined.
It’s additionally price mentioning, the researchers say, that the marketing campaign was most likely in its earlier levels, as the ultimate payload was all about gathering system info. “The actor might ship a extra refined piece of malware to the compromised techniques sooner or later by modifying the file saved within the GitHub repository,” the researchers warn.
One of many causes Discord isn’t being utilized by APTs on a much bigger scale is the shortage of full management over the C2 server. Ought to they be compromised, Discord can terminate their account at any time, probably chopping off entry to any delicate info they may have obtained within the meantime.
By way of BleepingComputer