Communication platforms Slack and Discord, alongside other similar applications, have reportedly suffered a series of attacks from threat actors who have been spreading malware to leverage these third-party applications as command-and-control infrastructures.
The report comes from a CISCO Talos Intelligence report dated Wednesday, April 7, 2021, saying that numerous attackers have been taking advantage of third-party chat applications to spread malware, most of which are being used for employee communications.
Based on the report released by CISCO, the security division claims that with the growth of collaboration and communication platforms at the height of the pandemic, these are now being used to send malware links to victims. According to Wired, these links are disguised in such a way that they are made to appear trustworthy to unknowing parties.
Some of the attachments that the CISCO team has discovered to have been attached and sent to various users using Discord and Slack include the likes of Agent Tesla, AsyncRAT, Formbook, LimeRAT, Phoenix Keylogger, and many others.
Threat Post states that numerous threat actors and hackers alike have succeeded in sending these files after evading security detection via encrypted HTTPS and compressed files. Some of these algorithms that have been used to further disguise these files include the likes of .ACE, .GZ, .LZH, .TAR, and .ZIP.
In a statement, the researchers from Talos said, “One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked. By leveraging these chat applications that are likely allowed, they are removing several of those hurdles and greatly increase the likelihood that the attachment reaches the end user.”
In its blog post, Talos continued to say that “This functionality is not specific to Discord. Other collaboration platforms like Slack have similar features. Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed.”
Talos researchers state that the messages positioned themselves as documents that may interest the victims, such as invoices and purchase others, and other similar financial transactions, reports Threat Post.
Following the incident, Wired reached out to both Discord and Slack for a statement. A representative from Discord said that the communication app regularly does routine checks and maintenance on its site to look for malware files. At the same time, the Discord spokesperson also said the company takes a proactive stance in taking down any malware hosted on the platform.
Meanwhile, Wired states that a representative from Slack said that since February of this year, the chat app has since blocked .exe files and other similar links and documents from being shared and sent on the platform.
