Attackers are using Slack, Discord to deliver and control malware

Credit: Austin Distel/Unsplash

During the coronavirus pandemic, researchers at Cisco's Talos Intelligence have tracked a significant rise in attacks that use remote collaboration platforms. That includes remote access trojans (RATs), information stealers, IoT malware, and other threats.

The researchers cite the shift to remote work and the increasing reliance on collaborative tools as a reason why the attacks have increased. Cybercriminals exploiting collaboration tools isn't new. But the increased reliance on work apps have caused more attackers to modify their tactics.

The attacks aren't directly using exploitable code flaws in Slack or Discord. Cybercriminals are using seemingly trustworthy links in Slack or Discord to serve malware to victims. Other attackers are using Discord to remotely control code running on infected machines and steal data from those devices.

"Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments," Talos wrote in a blog post.

Additionally, some malware campaigns don't even require a victim to have Slack, Discord, or other collaboration apps on their machines. Attackers may just email links to malicious files hosted on those platforms.

Cisco's researchers say that abusing the file hosting features of platforms like Discord and Slack has become one of the most common attacks. Some of the malicious programs uploaded to Slack and Discord servers include the Phoenix Keylogger and LimeRAT.

Users are likely more trusting of Discord and Slack links during the global health crisis, but attackers are also taking advantage of other features, too. File compression and HTTPS encryption, for example, can obfuscate the malware. Files hosted on commonly used apps are also harder to block or take down.

"Malicious threat actors are always trying to find new and effective ways to get malware executing on systems and one of the biggest challenges is distribution," the researchers wrote. "As chat apps like Discord, Slack and many others rise in popularity, organizations need to assess how these applications can be abused by adversaries and how many of them should be allowed to operate inside your enterprise."

Other cybersecurity firms have corroborated the Talos findings. Back in February, Zscaler said that it has been tracking as many as two dozen malware variants per day being delivered via fraudulent Discord links.

Cisco advises caution when clicking on links hosted or sent via collaboration tools. A good rule of thumb is to never click on links from someone you don't know or trust.