Check Point Research (CPR), the research division of Check Point Software Technologies, has seen early signs of interest from malicious actors in Discord’s emerging technology. The most prominent indicator is multifunctional malware that is accessible to everyone on Github. This malware is capable of taking screenshots, downloading and executing additional files, and performing keylogging – all using the core functionality of Discord.
Discord currently has over 150 million monthly users and is particularly popular with younger users. Discord allows users to incorporate code for advanced features that make it easier to manage the community. These are the Discord bots. As Discord has grown in popularity, so has the use of these bots. Currently, most Discord bots can be installed via central services like top.gg “, which offer a large selection of free bots.
Additionally, there are Discord bot development services that offer bespoke Discord bots at various prices. However, there is one thing users should be clear about: Discord’s bot framework can easily be used for malicious purposes.
Discord bots seem powerful, friendly, and very time-saving. But with great power comes great responsibility, and Discord’s bot framework can easily be used for malicious purposes. CPR found several malicious repositories on GitHub relevant to the Discord platform. These repositories include malware based on the Discord API and malicious bots with different functions.
An example of this is the malicious DiscordRootKit toolkit. This particular malware, written in Python, appears to have several functions:
- Open a shell on the running device.
- Find different browser tokens – , Opera, Yandex.
- Take screenshots.
- Capture webcam snapshots from the device’s camera.
- Log various malware actions.
- Download a file from a given link.
- Copy a file to the Windows startup directory so that it will run on boot.
Christine Schönig, Regional Director Security Engineering CER,of the CTO at Check Point Software Technologies GmbH, warns: “Discord offers users a wide range of features and opportunities to network, chat and share content. However, the infrastructure provided for this can also be used for malicious purposes such as developing malware, setting up botnets, C2 communication and hosting malicious files. The Discord API does not require any type of confirmation or approval and can be used by anyone. Because of these Discord API freedoms, the only way to prevent Discord malware is to disable all Discord bots. However, that in turn cannot happen without permanently damaging the Discord community. As a result, it is up to the users themselves to protect their devices. “
Steps to protect yourself from Discord-based malware and how to tell if you are infected:
- Avoid visiting unsafe and unknown websites – suspicious links are always a warning sign
- Only download files from trusted sources – do not download a file if you are unsure that it is safe
- Monitor traffic on your network – if there is Discord traffic even though Discord is not installed on the system, you may have been infected with Discord based malware.
- If you work with Discord bots, we strongly recommend that you host unknown bots on an external server and not run them on your own computer.