hackers hacked Discord via invite link and steal cryptocurrency

A new malware campaign is exploiting a vulnerability in Discord's invitation system to deliver the AsyncRAT remote access trojan and the Skuld information stealer. Attackers are hijacking expired or deleted invite links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers.

 

Understanding the Vulnerability
The core issue lies in Discord's invite mechanism, which permits the reuse of expired or deleted invite links. This means that a previously trusted link shared on forums or social media could lead users to malicious sites. This campaign follows a previous phishing attack that also exploited expired links to lure users into joining a Discord server, ultimately draining their digital assets.

Attack Methodology


1. Joining the Malicious Server:

Once users join the malicious server, they are prompted to complete a verification step by authorizing a bot, which then directs them to a phishing site.


2. Social Engineering Tactics:

Attackers employ social engineering tactics, specifically the ClickFix technique, to trick users into executing a PowerShell command disguised as a verification process.


3. Payload Delivery:

This command downloads AsyncRAT and Skuld Stealer onto the victim's system.


Malware Details
AsyncRAT:

Provides comprehensive remote control capabilities over infected systems.


Skuld Stealer:

Designed to steal sensitive data from Discord, various browsers, and crypto wallets, including seed phrases and passwords.
Utilizes a method called wallet injection, replacing legitimate application files with trojanized versions to harvest sensitive information.

hackers with discord logo and malicious link and bitcoin signhackers with discord logo and malicious link and bitcoin sign

Data Exfiltration and Evasion Techniques
The attack utilizes trusted cloud services like GitHub, Bitbucket, and Pastebin for payload delivery and data exfiltration, allowing it to blend in with normal traffic and evade detection. The collected data is sent to the attackers via Discord webhooks, further obscuring their activities.

Mitigation and Response
Discord has since disabled the malicious bot, effectively breaking the attack chain. However, researchers have identified another campaign by the same threat actor that distributes a modified loader disguised as a hack tool for unlocking pirated games, which has already been downloaded 350 times.

Victim Profile
Victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom. This highlights the ongoing risks associated with Discord, which has previously been abused for malware distribution.

Conclusion
Researchers emphasize that this campaign illustrates how a subtle feature of Discord's invite system—the ability to reuse expired or deleted invite codes—can be exploited as a powerful attack vector. By hijacking legitimate invite links, threat actors can silently redirect unsuspecting users to malicious Discord servers, primarily targeting crypto users motivated by financial gain. Users are urged to remain vigilant and cautious when interacting with invite links on the platform.