A new malware campaign is exploiting a weakness in Discord’s invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan.
“Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers,” Check Point said in a technical report. “The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets.”
The issue with Discord’s invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This also means that a Discord invite link that was once trusted and shared on forums or social media platforms could unwittingly lead users to malicious sites.
Details of the campaign come a little over a month after the cybersecurity company revealed another sophisticated phishing campaign that hijacked expired vanity invite links to entice users into joining a Discord server and instruct them to visit a phishing site to verify ownership, only to have their digital assets drained upon connecting their wallets.
While users can create temporary, permanent, or custom (vanity) invite links on Discord, the platform prevents other legitimate servers from reclaiming a previously expired or deleted invite. However, Check Point found that creating custom invite links allows the reuse of expired invite codes and even deleted permanent invite codes in some cases.
This ability to reuse Discord expired or deleted codes when creating custom vanity invite links opens the door to abuse, allowing attackers to claim it for their malicious server.
“This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors,” Check Point said.
The Discord invite-link hijacking, in a nutshell, involves taking control of invite links originally shared by legitimate communities and then using them to redirect users to the malicious server. Users who fall prey to the scheme and join the server are asked to complete a verification step in order to gain full server access by authorizing a bot, which then leads them to a fake website with a prominent “Verify” button.
This is where the attackers take the attack to the next level by incorporating the infamous ClickFix social engineering tactic to trick users into infecting their systems under the pretext of verification.
Specifically, clicking the “Verify” button surreptitiously executes JavaScript that copies a PowerShell command to the machine’s clipboard, after which the users are urged to launch the Windows Run dialog, paste the already copied “verification string” (i.e., the PowerShell command), and press Enter to authenticate their accounts.
But in reality, performing these steps triggers the download of a PowerShell script hosted on Pastebin that subsequently retrieves and executes a first-stage downloader, which is ultimately used to drop AsyncRAT and Skuld Stealer from a remote server and execute them.
At the heart of this attack lies a meticulously engineered, multi-stage infection process designed for both precision and stealth, while also taking steps to subvert security protections through sandbox security checks.
AsyncRAT, which offers comprehensive remote control capabilities over infected systems, has been found to employ a technique called dead drop resolver to access the actual command-and-control (C2) server by reading a Pastebin file.
The other payload is a Golang information stealer that’s downloaded from Bitbucket. It’s equipped to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms.
Skuld is also capable of harvesting crypto wallet seed phrases and passwords from the Exodus and Atomic crypto wallets. It accomplishes this using an approach called wallet injection that replaces legitimate application files with trojanized versions downloaded from GitHub. It’s worth noting that a similar technique was recently put to use by a rogue npm package named pdf-to-office.
The attack also employs a custom version of an open-source tool known as ChromeKatz to bypass Chrome’s app-bound encryption protections. The collected data is exfiltrated to the miscreants via a Discord webhook.
The fact that payload delivery and data exfiltration occur via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord allows the threat actors to blend in with normal traffic and fly under the radar. Discord has since disabled the malicious bot, effectively breaking the attack chain.
Check Point said it also identified another campaign mounted by the same threat actor that distributes the loader as a modified version of a hacktool for unlocking pirated games. The malicious program, also hosted on Bitbucket, has been downloaded 350 times.
It has been assessed that the victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom.
The findings represent the latest example of how cybercriminals are targeting the popular social platform, which has had its content delivery network (CDN) abused to host malware in the past.
“This campaign illustrates how a subtle feature of Discord’s invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector,” the researchers said. “By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers.”
“The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain.”
