Cybersecurity researchers have discovered that threat actors are using gaming-focused chat software and platform Discord to host malicious payloads during an investigation into the increasing use of HTML smuggling.
Previously, a report of Senior threat researcher Sean Gallagher from Sophos showed that the popular gaming-centric messaging platform has unintentionally emerged as a persistent, highly available, global distribution network for malware operators – in much the same way attackers have used Internet Relay Chat and Telegram.
According to Sophos, the number of URLs hosting malicious software on Discord’s CDN during the second quarter of 2021 increased by 140 percent when comparing it to last year.
And recently researchers at Menlo Security while analyzing a new attack, also found threat actors using Discord for hosting malicious payloads, reports TechRadar.
The researchers explain in context to the attack that HTML smuggling helps deliver malware by effectively bypassing various network security solutions including sandboxes, legacy proxies, and firewalls, and Menlo Security in a blog post analyzing the ISOMorph campaign said,
“We believe attackers are using HTML Smuggling to deliver the payload to the endpoint because the browser is one of the weakest links without network solutions blocking it”.
Menlo Security Firm also explains that as a means to optimize file downloads, threat actors use HTML smuggling to bypass standard perimeter security.
Once it’s done, the threat actor fetches the malicious payload and installs remote access trojans that allow the attacker to use the infected machine for their illegitimate purposes.
To prevent any malicious activity you can see tips provided by Discord here.