Cybercriminals are massively abusing the custom link mechanism in Discord, redirecting users to fake servers with info stealers that steal data to access crypto wallets and browsers.
Cybercriminals are massively abusing the custom link mechanism in Discord, redirecting users to fake servers with info stealers that steal data to access crypto wallets and browsers.
Discord has been targeted by a new phishing campaign in which attackers hijack server invite links and register the same names in vanity links. According to The Hacker News, this vulnerability allows attackers to redirect users to fake servers where they are asked to «verify» via a malicious PowerShell script.
This script launches a complex multi-layered infection scheme that results in the installation of AsyncRAT (a full remote control Trojan) and Skuld Stealer, a thief aimed at stealing data from crypto wallets, browsers, and even games. Skuld pays particular attention to wallets such as Exodus and Atomic, modifying their files via GitHub repositories.
To remain undetected, the attackers disguise their traffic using legitimate platforms like Pastebin, GitHub, Bitbucket, and Discord itself. The stolen data is also transmitted via Discord webhooks. The company has already responded by removing the malicious bot, but hundreds of downloads of the infected tools remain online.
Another attack vector is fake game-hacking apps that actually contain modified downloaders. Such apps, distributed via Bitbucket, have already garnered over 350 downloads. According to experts, users in the US, Vietnam, France, Germany, and the UK were most affected.
The vulnerability with the reuse of old invite codes is not obvious, but it is dangerous. Discord prohibits new users from restoring old regular links, but allows it with «vanity» links. This is what hackers took advantage of, combining social engineering with technical tricks. The new case is another reminder that even small UX features can turn into serious attack vectors.
We previously reported how attackers, presumably from Russia, are distributing AtomicOS (AMOS) malware that steals passwords, crypto wallets, and system data. The attack is implemented through social engineering. Users are forced to manually run a dangerous command in the terminal.
