Full Report
Hackers are hijacking expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware. [...]
Analysis Summary
# Incident Report: Discord Expired Invite Reuse Malware Campaign
## Executive Summary
A malware campaign exploited a vulnerability in Discord's invitation system, allowing attackers to reuse previously expired invite links to redirect victims to malicious URLs. This led to the execution of multi-stage infection chains, resulting in the deployment of Remote Access Trojans (RATs) and stealer malware capable of harvesting credentials, cookies, and cryptocurrency data. Mitigation focused on user education and advising server administrators to use permanent invite links.
## Incident Details
- Discovery Date: Not explicitly stated (Implied ongoing upon discovery by researchers/Check Point)
- Incident Date: Not explicitly stated (Ongoing exploitation utilizing previously expired links)
- Affected Organization: Discord Users / Infected Endpoints
- Sector: Communication Platform / General Internet Users
- Geography: Global (Implied, as Discord is a global platform)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Utilizing pre-existing or old invite links)
- **Vector:** Exploitation of a vulnerability allowing the reuse of expired Discord invite links.
- **Details:** Attackers leveraged the vulnerability to trick victims into clicking the reused links, often leading to a "ClickFix page."
### Lateral Movement
- **Details:** The initial execution chain involved PowerShell downloaders, obfuscated C++ loaders, and VBScript files to execute secondary stages. A scheduled task was created to re-run the malware loader every five minutes, ensuring persistence.
### Data Exfiltration/Impact
- **Details:** Deployed payloads included AsyncRAT (C2 fetched dynamically via Pastebin), Skuld Stealer (targeting browser credentials, Discord tokens, wallet data), and ChromeKatz (stealing cookies and passwords).
### Detection & Response
- **How it was discovered:** Analysis conducted by Check Point researchers.
- **Response actions taken:** The primary response involved public disclosure of the vulnerability and issuing recommendations to Discord users and server administrators.
* *(Note: Direct Discord platform remediation details are not provided in the source text.)*
## Attack Methodology
- **Initial Access:** Reused/hijacked expired Discord invite links leading to a malicious landing page (ClickFix page).
- **Persistence:** A scheduled task was added to the host system to re-execute the malware loader every five minutes.
- **Privilege Escalation:** Not explicitly detailed, but escalating privileges may have been necessary for scheduled task creation.
- **Defense Evasion:** Use of obfuscated C++ loaders and VBScript files within the infection chain.
- **Credential Access:** Handled by Skuld Stealer (browser credentials, Discord tokens) and ChromeKatz (cookies, passwords).
- **Discovery:** Not explicitly detailed, likely integrated within the RAT components (AsyncRAT).
- **Lateral Movement:** Not explicitly detailed beyond the initial multi-stage download/execution process.
- **Collection:** Targeted browser data, Discord tokens, and cryptocurrency wallet data (including mnemonics via JavaScript injection and Discord webhooks).
- **Exfiltration:** Implied via AsyncRAT and Skuld Stealer capabilities.
- **Impact:** Installation of RAT, credential theft, and wallet data compromise.
## Impact Assessment
- **Financial:** Potential financial loss due to cryptocurrency theft.
- **Data Breach:** Theft of user credentials, browser cookies, and cryptocurrency wallet information (including mnemonic phrases).
- **Operational:** Impact on infected user endpoints via RAT installation and background persistence tasks.
- **Reputational:** None explicitly stated for the victims, but potential reputational impact on Discord due to the platform vulnerability.
## Indicators of Compromise
- **Network indicators:** Final payloads (malware binaries) downloaded from the legitimate Bitbucket service. C2 address for AsyncRAT fetched dynamically from Pastebin (Defanged: `pastebin[.]com`).
- **File indicators:** `AClient.exe` (AsyncRAT), `skul.exe` (Skuld Stealer), `cks.exe` (ChromeKatz).
- **Behavioral indicators:** Execution chain involving PowerShell downloaders, C++ loaders, and VBScript files. Creation of a scheduled task for 5-minute execution loops.
## Response Actions
- **Containment measures:** Not detailed for the endpoint, but implied user action to avoid clicked links.
- **Eradication steps:** Not detailed in the context of this summary, but would involve removing scheduled tasks, malware binaries, and resetting compromised credentials/tokens.
- **Recovery actions:** Users must run AV/anti-malware scans and potentially restore systems or reset affected account passwords following discovery.
## Lessons Learned
- **Key takeaways:** Flaws in complex software platforms (like Discord's session/invite management) can be weaponized by attackers to bypass traditional defenses. Attackers often leverage legitimate hosting services (Bitbucket) for final payload delivery.
- **What could have been done better:** Timely patching or disabling of the functionality that allowed expired invites to be reactivated. User vigilance regarding links from untrusted sources is crucial.
## Recommendations
- **Prevention measures for similar incidents:** Discord users should avoid trusting old or unexpected invite links, especially those found in older posts. Treat "verification" requests with extreme caution. Users must never execute copied PowerShell commands unless they fully understand their function. Discord server administrators are strongly recommended to exclusively use permanent invite links where possible.