A new sophisticated malware campaign is exploiting a subtle flaw in Discord’s invite mechanism to send out payloads such as the AsyncRAT remote access trojan and custom-compiled information stealer Skuld.
Known as modPipe, this behavior is discovered by cybersecurity researchers and targets cryptocurrency holders in the attempt to steal their personal information and digital currencies.
The assault exploits Discord’s practice of allowing expired or deleted invitation links to be used again – Wiki links and similar vanity links are particularly worth watching out for. The links, which have now been compromised, are being manipulated by threat actors to silently redirect potential victims away from real communities to their malicious Discord servers.
Those who click on these tainted links — frequently embedded in older forum messages or social media posts — are then funneled into a series of infections not unlike the one I experienced, which uses dozens of hacked sites in a bid to infect the Web browser and host PC with malware that is resistant to just about every known security solution.
When victims entered the malicious server, they were asked to do a “verification” step. That almost always means giving a bot permission to do so or clicking a fake “Verify” button on a shady website.
In fact, these links secretly run malicious scripts that download the malware. The attackers use multi-stage loaders and time-based obfuscation, typically utilizing well-known services such as Pastebin, GitHub, and Bitbucket for payload delivery and data exfiltration, which enables them to obfuscate their activities amidst day-to-day network traffic and evade security hunting efforts.
The backdoor gives attackers full remote control of systems that have been compromised by the malware. Skuld Stealer, programmed in Golang, is a powerful stealer that can steal a variety of data, ranging from Discord credentials, to browser information, to crypto wallet information.
Skuld has been known to pilfer seed phrases and passwords from well-known wallets such as Exodus and Atomic, at times hijacking real application files and replacing them with trojanized ones using a process called wallet injection.
These attacks are financially based, demonstrated by the over 1,300 global installs, which affect users in the U.S., Vietnam, France, Germany, and the U.K. Security experts recommend Discord users be extremely wary of any and all invite links, including from reputable sources, and to look out for suspicious verification requests to guard their internet assets.
