The growing popularity of VoIP messaging service Discord among gamers is attracting hackers, according to Symantec.
In a blog post, the company claims to have detected several Trojans in gaming chatrooms, specifically three types of malware; Nanocore, njRAT and SpyRAT.
Since being released in March last year, Discord's popularity has increased especially among gamers, given that it is free, simple, multi-platform, and innovative. As of July 2016, more than 11 million people have used it.
Using its chat feature, Discord's users can post messages and links, embed pictures and videos, and upload attachments. Most gamers' teams and guilds also use some chat channels as documentation boards, explained Symantec.
“Since the chat app allows members to upload most types of files, attackers can create a server and post or upload malicious attachments to the chat, then use it in a second-stage attack as a download site,” said Lionel Payet, threat intelligence officer at Symantec.
“Other attackers don't have to create a server of their own—they could simply manually post malware to a server they had been invited to, so they could bait other unwitting users into opening the threat.”
As well as the remote access Trojans mentioned earlier, Symantec has also found various info stealers, Trojan Horse malware samples, and downloaders hosted on Discord.
Payet said the majority of targets are from the gaming community. “The app does attract a large number of video-streamers as its technology allows for synergy, a mode that lets users hide sensitive information while streaming content such as gaming sessions,” he added.
The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim's computer.
“This data can be valuable to attackers just as much as other personally identifiable information (PII), such as user's bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process,” said Payet.
Pascal Geenens, Radware's EMEA security evangelist, told SCMagazineUK.com that as with any client/server messaging protocol, the SIP server can be vulnerable to buffer overflows providing an attack vector to breach the server and gain access to the enterprise network.
“Another concerning point for SIP is the existence of an instant messaging extension (RFC 3428) which provides all the attack vectors any messaging service provides. This is the way Discord has been abused by hackers,” he said.
“The largest opportunity hackers see in Discord is the ease of hosting a new messaging server. The Discord messaging client allows anyone to be a server – this is the community aspect of the Discord service – anyone can host a server and the system becomes completely distributed and uncontrolled at the same time.
Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC that this is another case of hackers trying to get their prospective victims to take some sort of action.
“Most malware infections today require users to click on a link, download and execute a file, and/or open an attachment and enable macros, etc. In this scenario, hackers upload malware infected files to Discord servers and try to get their victims to download the files they've uploaded. This is not a highly sophisticated attack. Instead it's just another way of spreading malware to unsuspecting users,” he said.
Mark James, security specialist at ESET, told SC that installing a good multi layered regular updating security product will help to keep gamers and others safe.
“Keeping your operating system and applications up to date and always try where possible to check the validity of any links and ask around. If others have been infected they will often be quite vocal about it. If you're able try to manage who has access or permission to your servers or chat rooms, and always remember if it looks too good to be true, it often is.”