Firm Fixes VoIP RATs

Tuesday, October 25, 2016 @ 12:10 PM gHale


Security tightened up with a Voice-over-IP (VoIP) service after its servers ended up leveraged to host and distribute remote access Trojans (RATs), researchers said.

Discord, the free VoIP service, is popular mainly among gaming communities, because it is simple and multiplatform. The service allows users to quickly create groups so gamers can communicate over VoIP — chat and voice — during a game.

RELATED STORIES
New Revenge RAT Hits Market
Android RAT Builder Released
APT Attacker’s Malware of Choice
German Nuke Infected with Malware

Researchers created servers there, and some users created groups where knowledge ended up shared and exchanged.

Discord attracted hackers who set up servers and invited people to join. Some attackers created servers used as a black market for the distribution of malware or stolen data, Symantec researchers said in a blog post.

The service’s chat feature allows users to post messages and links, as well as to embed pictures and videos, and even upload attachments. Some gamers use the chat channels as documentation boards, since the chat app allows members to upload most types of files.

Attackers use the feature to create servers and post or upload malicious attachments to the chat, and then use it as a download site in second-stage attacks. Other actors can also post malware to a server they were invited to, researchers said.

According to Symantec, most of the malicious samples they discovered on the service include RATs such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat), yet infostealers, Trojan Horse malware samples, and downloaders were also found being hosted on Discord. The security researchers believe the malware might have been used in drive-by downloads or social-engineering campaigns.

NanoCore, a RAT around since 2013, emerged as the most prevalent malware hosted on Discord’s chat servers. Several variations of this malware have been observed early last year, and the RAT’s activity has been continued constantly since then, focusing mainly on the United States, Japan, and Germany.

“The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim’s computer,” said Symantec’s Lionel Payet in a blog post. This data can be valuable to attackers just as much as other personally identifiable information (PII), such as users’ bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process.

Discord’s security team removed the malicious files from the servers’ chat channels. Moreover, the service added a new virus scan feature that runs on its backend servers whenever an executable or archive file is uploaded.

To stay protected when using Discord, users should avoid downloading or running programs from people they don’t know, to use the service’s permission control features to regulate the server’s users, and restrict users’ permissions to curb abuse on the service, or grant individual permissions for better control.

When joining a Discord server, users should be careful of the content being posted on the chat channels and should never give out personal information to strangers. On their computers, users should install and maintain an anti-malware solution that can protect them from threats, as well as to keep all applications on the machine up-to-date, by applying the latest patches and updates.



Leave a Reply

You must be logged in to post a comment.