Attackers are finding the file-sharing capabilities in popular group-chat apps such as Discord and Slack a convenient way to distribute malware, warns a new report from Cisco Talos, Cisco’s threat intelligence unit. The risk isn’t just that hackers can gain access to a particular channel and trick people in it into downloading malware. Once a file containing malicious code is uploaded, attackers can also grab a freely accessible link to that file where it’s hosted on the chat system’s servers. Then, they can send that link to people via phishing emails, misleading texts, or any other method they have of reaching potential victims. In some cases, malware can connect to these sorts of links to download additional malicious code once it’s already running on victims’ machines. Some malware also uses group-chat apps to share data with and receive commands from the people operating it, according to the report. In particular, Discord has an API (application programming interface) that enables programs to automatically post messages to channels on the service via a digital address called a webhook. That’s useful for many legitimate purposes, but it’s also valued by malware creators who want their software to essentially phone home from infected machines. And during the coronavirus pandemic, as more people are using platforms such as Discord and Slack to stay in touch with friends, coworkers, and others, so too are criminals moving to these tools for their own convenience, according to the Cisco Talos researchers. Malware and commands sent through these channels can blend in with other, legitimate traffic. “We’ve seen a marked increase in the abuse of collaboration apps like Discord and Slack to be used to both distribute malware and as a command-and-control system,” says Nick Biasini, a Cisco Talos threat researcher who worked on the report. Functionality such as that offered by Discord “allows them to manage command and control without having to manage their own server.” One challenge for people trying to thwart these attacks is that malware and commands sent through these channels can blend in with other, legitimate traffic to files and chat rooms hosted on these platforms. Seeing a URL that mentions Discord, Slack, or another trusted channel might also help lull users into a false sense of security when it appears in a phishing email. And it’s also not possible for security experts to take down the domain hosting the malicious content, since it’s commingled with legitimate Slack or Discord files from around the world rather than on a domain of its own. In some cases, hackers use malware to harvest digital access tokens that can be used to connect to Discord, according to the report.
See the original post here:
Discord and Slack are becoming potent tools for malware attacks