While exploiting the VoIP application and digital distribution platform Discord is not a common occurrence, it is nothing new for the hackers creating malware tools. In the past, they have used Discord as a malware-hosting platform or a distribution service. A particular piece of malware called Spidey Bot was created to modify the Windows Discord application client and turn it into an info-stealer specifically. In other instances, evil attackers abused the Webhooks feature, a helpful tool that allows websites or third-party applications to deliver messages to Discord channels, as a place to drop collected data from compromised users.
However, a new Remote Access Trojan (RAT) named Abaddon is using Discord as a fully-fledged Command-and-Control (C2, C&C) server, something that infosec researchers have not seen before.
Once Abaddon infiltrates the targeted computer, it executes its data-collecting procedures. The RAT is capable of obtaining sensitive data such as credit/debit card details, Chrome cookies, and credentials, as well as various system information, including hardware details, IP address and country. The malware then moves on to the Steam application, if it is installed on the compromised device, and collects the login credentials and list of games. Finally, Abaddon accesses Discord tokens and multifactor authentication (MFA) information.
Once the initial set of data-gathering is complete, the RAT attempts to establish a connection with the Discord C&C server for additional commands. A check is made every 10 seconds for new instructions. The hackers can initiate five different Abaddon functionalities by sending the appropriate commands. They can get a list of all the drives connected to the infected computer, exfiltrate files or whole directories, run arbitrary commands through a reverse shell, upload all the data collected by Abaddon and clear the existing logs. Abaddon's final threatening ability is to act as a ransomware threat, although this particular 'feature' is still being developed by the hackers. The researchers at MalwareHunterTeam, who analyzed Abaddon, found out that the ransom note delivered by the malware is just a placeholder for the moment. To encrypt the files stored on the victim's computer and then demand money for their restoration is a lucrative tactic employed by cybercriminals, and it wouldn't be that surprising if Abaddon's ransomware capabilities are unleashed in just a short amount of time.