Tweet
Important notice for Discord users, first seen in this article on Polygon (which references this blog article by Symantec).
Originally posted by http://www.polygon.com/2016/10/24/13359340/discord-malware-virus-symantec-norton-warning
Chat service Discord gets enhanced security after vulnerabilities discovered
Symantec says it’s working to make the free chat service safer
by Charlie Hall @Charlie_L_Hall Oct 24, 2016, 2:30p
Security firm Symantec, makers of the popular line of Norton consumer software products, says that users of the Discord service could be at risk. It seems that malicious malware has been making the rounds, and the company is working with Discord to remove those files and better protect users going forward.
“Symantec Security Response contacted Discord’s security team when the discovery was made,” Symantec said in a news release. “Discord quickly removed the malicious files from the servers’ chat channels. Discord has since added a new virus scan feature which runs on the backend whenever a user uploads an executable or archive file.”
“Discord takes the security and safety of our community very seriously,” a Discord representative told Polygon. “As part of our approach to creating a safe environment for everyone using Discord, we recently rolled out a protective service for all uploaded files that scans and deletes any malware or infected files. In addition, all file downloads go through the user’s web browser, such as Chrome, which has an additional layer of security.”
Discord has taken off in the last year as the go-to solution for gaming communities. It offers a Slack-like interface, file sharing and voice communication as well as API hooks for many popular games. That popularity has led to exploits. Symantec noted that it had also detected evidence of stolen consumer data being shared on a Discord-based black market.
Earlier this month, the Discord blog published a lengthy, tongue-in-cheek, mostly meme-based security roundup. It mentioned things like two-factor authentication and tools for streamers sharing their channels publicly. For its part, Symantec suggested few common-sense steps which include using Discord’s permission control features and to automating monitoring using community-created bots.
You can read the full [Symantec] press release here.[Quoted following]
Symantec says it’s working to make the free chat service safer
by Charlie Hall @Charlie_L_Hall Oct 24, 2016, 2:30p
Security firm Symantec, makers of the popular line of Norton consumer software products, says that users of the Discord service could be at risk. It seems that malicious malware has been making the rounds, and the company is working with Discord to remove those files and better protect users going forward.
“Symantec Security Response contacted Discord’s security team when the discovery was made,” Symantec said in a news release. “Discord quickly removed the malicious files from the servers’ chat channels. Discord has since added a new virus scan feature which runs on the backend whenever a user uploads an executable or archive file.”
“Discord takes the security and safety of our community very seriously,” a Discord representative told Polygon. “As part of our approach to creating a safe environment for everyone using Discord, we recently rolled out a protective service for all uploaded files that scans and deletes any malware or infected files. In addition, all file downloads go through the user’s web browser, such as Chrome, which has an additional layer of security.”
Discord has taken off in the last year as the go-to solution for gaming communities. It offers a Slack-like interface, file sharing and voice communication as well as API hooks for many popular games. That popularity has led to exploits. Symantec noted that it had also detected evidence of stolen consumer data being shared on a Discord-based black market.
Earlier this month, the Discord blog published a lengthy, tongue-in-cheek, mostly meme-based security roundup. It mentioned things like two-factor authentication and tools for streamers sharing their channels publicly. For its part, Symantec suggested few common-sense steps which include using Discord’s permission control features and to automating monitoring using community-created bots.
You can read the full [Symantec] press release here.[Quoted following]
Originally posted by https://www.symantec.com/connect/blogs/attackers-use-discord-voip-chat-servers-host-nanocore-njrat-spyrat
Attackers use Discord VoIP chat servers to host NanoCore, njRAT, SpyRAT
Malicious actors are abusing a free VoIP service for gamers to distribute remote access Trojans, as well as infostealers and downloaders.
By: Lionel Payet SYMANTEC EMPLOYEE
Created 20 Oct 2016
Discord, a free VoIP service designed for gaming communities, has had its chat servers abused to host malware. Most of the malicious samples found distributed on the app were remote access Trojans (RATs), such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat), among others.
Since it was released in March 2015, Discord's popularity has increased especially among gamers, given that it is free, simple, multiplatform, and innovative. As of July 2016, more than 11 million people have used it.
Any Discord user can create a server, or group, in less than 10 seconds. Most of the groups on Discord are gamer gatherings (teams, guilds, clans) that use the VoIP service to communicate (via chat or voice) whether gaming or not.
Other groups focusing on a broader audience have also surfaced on Discord. For example, IT security researchers have created servers on Discord. In some cases, users have set a never expire invite link to their groups and advertised it on third-parties websites. These are usually marketed as places where knowledge is being shared and exchanged on particular topics. Some of these groups have thousands of members—most are gaming-related, while others are tech- and anime-related.
However, hacking groups have also set up Discord servers and are actively inviting people to join. Even shadier groups have created Discord servers that serve as a black market for the sale of malware or stolen data.
How do attackers distribute malware on Discord?
Using its chat feature, Discord’s users can post messages and links, embed pictures and videos, and upload attachments. Most gamers’ teams and guilds also use some chat channels as documentation boards.
Since the chat app allows members to upload most types of files, attackers can create a server and post or upload malicious attachments to the chat, then use it in a second-stage attack as a download site. Other attackers don’t have to create a server of their own—they could simply manually post malware to a server they had been invited to, so they could bait other unwitting users into opening the threat.
Besides the infamous and accessible RATs, such as NanoCore, njRAT, and SpyRAT, we also found various infostealers, Trojan Horse malware samples, and downloaders among the files we’ve seen hosted on Discord. These may have been part of a drive-by download strategy or social-engineering campaign.
In our observation, NanoCore was the most prevalent among the malware hosted on Discord's chat servers. This RAT has been around since at least 2013, with a few versions leaked early last year, and NanoCore RAT activity has not ceased since then. The RAT mainly affects computers in the US, followed by Japan and Germany.
Who are the targets?
Since the service was designed specifically for gamers, the majority of targets are from the gaming community. The app does attract a large number of video-streamers as its technology allows for synergy, a mode that lets users hide sensitive information while streaming content such as gaming sessions.
The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim’s computer. This data can be valuable to attackers just as much as other personally identifiable information (PII), such as users' bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process.
Symantec Security Response has contacted Discord’s security team, who swiftly removed the malicious files from the servers’ chat channels. Discord also added a new virus scan feature, which runs on its backend servers whenever a user uploads an executable or archive file. Discord does not support or endorse third-party websites that host a list of open invite Discord servers.
Mitigation
Symantec recommends users adhere to the following best practices when using Discord:
Do not download or run programs from people you do not know
Use the service’s permission control features which allow users to regulate the server’s users.
Restrict users’ permissions to curb abuse on the service, or grant individual permissions for better control.
When joining a Discord server, be careful of the content being posted on the chat channels.
Do not give out personal information to strangers when using the voice channel.
To stay protected against malware, Symantec advises users to keep their computers, security software, and other programs up-to-date by applying the latest patches and updates. We also advise users to be careful of links being shared on social applications.
Protection
Symantec and Norton products detect the malware discussed in this blog as the following:
Trojan.Nancrat
Backdoor.Ratenjay
W32.Spyrat
Malicious actors are abusing a free VoIP service for gamers to distribute remote access Trojans, as well as infostealers and downloaders.
By: Lionel Payet SYMANTEC EMPLOYEE
Created 20 Oct 2016
Discord, a free VoIP service designed for gaming communities, has had its chat servers abused to host malware. Most of the malicious samples found distributed on the app were remote access Trojans (RATs), such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat), among others.
Since it was released in March 2015, Discord's popularity has increased especially among gamers, given that it is free, simple, multiplatform, and innovative. As of July 2016, more than 11 million people have used it.
Any Discord user can create a server, or group, in less than 10 seconds. Most of the groups on Discord are gamer gatherings (teams, guilds, clans) that use the VoIP service to communicate (via chat or voice) whether gaming or not.
Other groups focusing on a broader audience have also surfaced on Discord. For example, IT security researchers have created servers on Discord. In some cases, users have set a never expire invite link to their groups and advertised it on third-parties websites. These are usually marketed as places where knowledge is being shared and exchanged on particular topics. Some of these groups have thousands of members—most are gaming-related, while others are tech- and anime-related.
However, hacking groups have also set up Discord servers and are actively inviting people to join. Even shadier groups have created Discord servers that serve as a black market for the sale of malware or stolen data.
How do attackers distribute malware on Discord?
Using its chat feature, Discord’s users can post messages and links, embed pictures and videos, and upload attachments. Most gamers’ teams and guilds also use some chat channels as documentation boards.
Since the chat app allows members to upload most types of files, attackers can create a server and post or upload malicious attachments to the chat, then use it in a second-stage attack as a download site. Other attackers don’t have to create a server of their own—they could simply manually post malware to a server they had been invited to, so they could bait other unwitting users into opening the threat.
Besides the infamous and accessible RATs, such as NanoCore, njRAT, and SpyRAT, we also found various infostealers, Trojan Horse malware samples, and downloaders among the files we’ve seen hosted on Discord. These may have been part of a drive-by download strategy or social-engineering campaign.
In our observation, NanoCore was the most prevalent among the malware hosted on Discord's chat servers. This RAT has been around since at least 2013, with a few versions leaked early last year, and NanoCore RAT activity has not ceased since then. The RAT mainly affects computers in the US, followed by Japan and Germany.
Who are the targets?
Since the service was designed specifically for gamers, the majority of targets are from the gaming community. The app does attract a large number of video-streamers as its technology allows for synergy, a mode that lets users hide sensitive information while streaming content such as gaming sessions.
The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim’s computer. This data can be valuable to attackers just as much as other personally identifiable information (PII), such as users' bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process.
Symantec Security Response has contacted Discord’s security team, who swiftly removed the malicious files from the servers’ chat channels. Discord also added a new virus scan feature, which runs on its backend servers whenever a user uploads an executable or archive file. Discord does not support or endorse third-party websites that host a list of open invite Discord servers.
Mitigation
Symantec recommends users adhere to the following best practices when using Discord:
Do not download or run programs from people you do not know
Use the service’s permission control features which allow users to regulate the server’s users.
Restrict users’ permissions to curb abuse on the service, or grant individual permissions for better control.
When joining a Discord server, be careful of the content being posted on the chat channels.
Do not give out personal information to strangers when using the voice channel.
To stay protected against malware, Symantec advises users to keep their computers, security software, and other programs up-to-date by applying the latest patches and updates. We also advise users to be careful of links being shared on social applications.
Protection
Symantec and Norton products detect the malware discussed in this blog as the following:
Trojan.Nancrat
Backdoor.Ratenjay
W32.Spyrat
Replace the word Discord with the words Internet, Email, BBS, IRC, Forum, or Web Site (adjusting for proper grammar and sentence structure, of course), and the story's no different. ...no?
Comment