Cyjax researchers have observed a recent malicious spam campaign pushing commodity malware such as the AgentTesla infostealer and AveMaria remote access Trojan (RAT). This campaign caught our attention due to its reliance on Discord, the instant messaging and VoIP application, to host its payloads.
The spam emails are sent from spoofed sender addresses and masquerade as parcel delivery notifications from courier services, such as DHL or TNT. Email subjects included:
- TNT ARRIVAL NOTIFICATION REPORT / INVOICE & BILL
- Re: Consignment Notification: You have A Package With Us
Figure 1: TNT-themed phishing email containing AveMaria RAT
The infection chain used in these attacks leverages an embedded URL inside decoy images. These images appear to be photos taken of real invoices from the aforementioned delivery companies. If a user clicks the image, a compressed executable file is downloaded and run on the user’s device. The files are compressed with the LZH archived file format, an older, less-used compression system that works exclusively for Windows.
Figure 2: Infection chain for AveMaria RAT
Figure 3: Infection chain for AgentTesla
Once it is dropped onto the device, the file is immediately self-extracted, and the malware begins to establish persistence. Both AgentTesla and AveMaria leveraged living-off-the-land binaries (LOLBins) – such as ‘InstallUtil.exe’ and ‘TapiUnattend.exe’ – to connect to their command and control (C&C) servers.
Figure 4: DHL-themed phishing email containing AgentTesla
The C&C server’s IP address was also uncovered which led us to several other recently shared samples of AveMaria. These used the same Discord server to host LZH files that drop EXE files containing the malware. The file names include:
- TNT_INVOICE_AND_PACKING_LIST.lzh
- PFQ_PO_09072020_xlsm.lzh
- Doc_Shipment_Confirmation_for_AWB_778466473898_PDF.lzh
- QUOTATION-2071456_PDF.exe
- DHL DOCUMENTS No_SINI0068206497_PDF.exe
- DHL DOC No_SINI0068206497_PDF.exe
- FIRM ORDER # 2020-1-32410 21981XMH.exe
This ongoing malspam campaign relies heavily on Discord to host its payload in the cloud. The attackers use ‘cdn.discord.com’ to store the files: in simple terms, this is where Discord hosts images and other files. The formation of the malicious URLs is as follows:
- https://cdn.discordapp.com/attachments/{ChannelID}/{AttachmentID}/example.exe
If the Discord app is installed or the web app is open on the device, spam filters and endpoint protection systems may not detect these URLs as a threat and may allow any links from Discord. The use of Discord to host payloads, however, is not new.
Because Discord does not moderate the content hosted on the platform, it has become an ideal tool for malspam campaigns. It is recommended to review communication to Discord, especially if it is not used within an enterprise. The use of free cloud file-sharing platforms is increasingly being adopted by cybercriminals. This is largely due to their wide availability and the lack of up-front investment that is required, as well as the fact that these platforms preserve the anonymity of their users and can be set up in very little time.
Cloud services such as Dropbox, OneDrive, and Google Drive all have taken measure to prevent threat actors from leveraging their service, although they are still heavily utilised. Discord fails to provide a ‘report abuse’ button on shared files and has not yet acted on how their service is being abused in this way. Discord does warn native users if they open a link from within the platform but downloading a file from the content delivery network (CDN) has no such warnings – even users with no Discord account can still download it. Incident response is hindered by externally shared Discord links too because even if someone deletes the file or removed their account, the platform still stores it in its CDN. It is also impossible to trace the original file uploader with just a Discord download URL.
Organisations can mitigate this threat by asking employees to do the following:
- Never open links from unknown or untrustworthy sources
- Make sure antivirus protection systems are up-to-date and perform regular scans
- Immediately scan your system and reinstall Discord if you notice something suspicious
- Report anything suspicious to the security team
Indicators of Compromise (IOCs):
Spyware.AgentTesla
SHA256: 0871c81dd26cf06c80392c9d1410d97c56e4979090230d8befe4291be07dec0c
SHA256: 140457897c4098698f0bce11a60e321a56c1beddea3041c1173b44891acb58db
Trojan/Win32.AveMaria
SHA256: ab261adafcaa48f8a9472a46e105f3a1a89f6b0291555e14448e445e058b9cc6
SHA256: e8ced66e2e2f78e7b4360155e2513cb99aa57d9743b1eab6430cffaa7d8c3523
C2
IPv4: 185.140.53.91
Domain: coventry001.ddns.net