Recent Flood of Malware Abuse

Hi All,

     Update: I've made a Reddit post with more details. Please refer to it now.

     TL; DR. Several malicious cyber crime campaigns have been heavily abusing Discord CDN and Discord has been acting slow, which in our opinion needs an urgent change.

     Recently we noticed that the Discord CDN servers have been massively flooded by malicious cyber crooks to host plain/encoded malware executable. However, the reporting process is painfully slow, constantly taking 2 weeks or more for a report to be processed. By that time the malware has already been widespread or even taken down, rendering the reporting effort going to a complete waste.

     Just as a reference and giving everyone an idea how bad the issue has been, we just compiled a list below showing all the malicious files hosted on the CDN server intended to be distributed maliciously, gathered in a 7-day period. (The links are still alive as of Oct. 30, 2021, and have been crudely sanitized. Please do not recover the links unless you are trying to analyze those samples.)

hxxpz://[cdn.]discord[app.]com[/]attachments[/]900442917435473960/901431623923413002/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]900442917435473960/901005160141193246/myfile.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]900442917435473960/901545159412568165/myfiles.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]900442917435473960/901550528134279178/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891021838312931420/899962871100899338/PL_Client.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/900006948601200660/help19_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/900013191009034300/passat19_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]896617596772839426/897483264074350653/Service.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/900019962427609158/real19_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899974525217824808/Plim19_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899996004672241735/sloader19_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]900442917435473960/901550422970495077/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]898871041424781335/900925485649887232/x.dll
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891021838312931420/898197641001836594/PL_Client.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899575005317316648/ruzki18_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899387113353670687/e5f17_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899632684890992680/sloader18_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899599401486532668/Super18_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899246347331461130/help17_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899606173743992842/jdksaj321.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899637220380643358/Blithering.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/898922162541461544/inst4.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]897730497315209229/897734621037473842/Setup12.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899385439583092826/leon.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]900442917435473960/901845271472914492/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/901898711595094046/help24_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902184794341912676/plim25_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902111013594333204/passat25_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902099044703285269/real25_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/901767898303963136/5780_2401.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899688199792779304/xldr_cube.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891021838312931420/901062273064382484/PL_Client.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/902167265666023434/DC48270C.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/902167267440222268/0DACC8E5.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/902143329544859648/A0E28ADF.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/894636941851652176/EF77C3DB.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902548792065290360/filthybrat699994.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902547187278422056/Bolgarka.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/899688199792779304/xldr_cube.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902465440599662602/passat26_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902522052609708042/help26_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/902535542342815794/9E49426B.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/902535544452575322/F5B947FD.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/902561973865181224/C1E0AF0D.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902432965332721664/5780_2601.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891021838312931420/902505896159113296/PL_Client.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/902574253122150450/urlhelp26_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/902595579161505792/myfile.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/902969903496179762/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/903388667924598854/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/903729346898964521/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/903726559364542505/myfiles.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903659590175060058/LOL.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/903604851408240651/01233C9D.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903659203854491698/fun2.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903660106024120380/urhelperrr669737.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903511545156345916/help29_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]851544655061581898/903307529361195089/Instal.EXE
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903756369671389184/wetsetup30_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903687654661586974/5780_2901.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903583030453604372/dfas.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903556630199799868/passat29_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/903731286814900244/wetsetup.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903694495420399646/help29_01.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]891006172130345095/903635358149910548/real29_02.bmp
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/903575931979984906/B3D85230.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]897730497315209229/902857877717389342/Setup12.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/904070900964536430/90000747287171161449.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/903585691961790504/1B7B6D0D.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]893177342426509335/903585693551448084/3237AA2E.jpg
hxxpz://[cdn.]discord[app.]com[/]attachments[/]877272832290213889/903302723326312469/File.png
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/903620995196256256/pctool.exe
hxxpz://[cdn.]discord[app.]com[/]attachments[/]902593911397175306/903620832692154368/pctool.exe

     It's worth mentioning that some of the channels seem to be really dedicated for hosting malware, such as the ones with ID of 891006172130345095, 893177342426509335, 902593911397175306, ... etc.

     The files listed above can generally be categorized into 3 groups. Those with ".exe" extensions are plain malware. Just upload them onto VirusTotal to check the detection. Those with ".jpg" extensions are encoded text files (yes, those are not jpeg images) intended to be downloaded, decoded and executed by malicious droppers. The attack metrics were detailed in this amateur report produced by one of our friends (note: EF77C3DB.jpg is in different scheme, DC48270C.jpg and 0DACC8E5.jpg are grouped together, so do 9E49426B.jpg with F5B947FD.jpg).

     The rest of the files, with ".bmp" extensions (again not really BMP images), are malicious executable XOR'd using the single byte 0x9D in repeat. All the files are dynamically decoded by droppers and executed on victims machines. We have uploaded most of the decoded files onto VirusTotal (VT links not attached since there are too many) and the detection rates are high.

     Our message to Discord is clear: Discord staff, please seriously consider prioritizing malware report handling procedure. As amateurs, we didn't expect at all to see such large amount of malware samples dedicatedly hosted on a social media platform within a 5-day window. It turned out that Sophos has already published a post warning about the issue back in July, but the abuse seems to keep getting worse. We've also reported multiple malware abuses on dedicated file hosting services such as MediaFire and Mega.nz, with both company acting swiftly taking down the threats usually within hours after reports are filed. Please, look at those prime examples of how to deal with malware abuse.

     Moreover, there is a partial solution to this -- by removing the functionality of hosting user-derived contents on everyone-can-access CDN servers. Just enforce a session requirement and check the permission if the user can access the channel for all user-derived uploads. In that way normal users clicking on files in chat won't be affected at all, while hidden downloads will no longer work.

Appendix: VirusTotal scans of the dropper executable that linked to the files on the list above:
https://www.virustotal.com/gui/file/cdddcd262b2e5bef3857df8ab778c876137d7ee90ace6c88c23e472e1cd0c9b8
https://www.virustotal.com/gui/file/c441c9f79d619a1ebd2b85be8046b515d46857eee3e554f3fadb7c3b3f8a4c79
https://www.virustotal.com/gui/file/b87ec9592c5dcde6cd7f1a57ce1127ffd34bae73e544f0068869d41ffd5cb7db
https://www.virustotal.com/gui/file/74780f75dd38f01d4b20d3337db5c4f42b021a0e453d078a999cfb977a79ac00
https://www.virustotal.com/gui/file/07717ef6caf01738d425452b88f449344d6747a87c7359e8515ced5ca3d6050b
https://www.virustotal.com/gui/file/5887b488595dcfc3f422c721f7348d5b61cd8a2c37f43380ada9240baf460f28