The new 'Abaddon' remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware.
Threat actors abusing Discord for malicious activity is nothing new.
RAT uses Discord as a full C2 server
A new 'Abaddon' remote access trojan (RAT) discovered by MalwareHunterTeam, though, could be the first malware that uses Discord as a full-fledge command and control server.
A command and control server (C2) is a remote host that malware receives commands to execute on an infected computer.
When started, Abaddon will automatically steal the following data from an infected PC:
Chrome cookies, saved credit cards, and credentials.
Code showing the stealing of Chrome data
Steam credentials and list of installed games
Code showing Steam data theft
Discord tokens and MFA information.
System information such as country, IP address, and hardware information.
Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below.
Receive a task from the Discord server
These commands will tell the malware to perform one of the following tasks:
Steal a file or entire directories from the computer
Get a list of drives
Open a reverse shell that allows the attacker to execute commands on the infected PC.
Launch in-development ransomware (more later on this).
Send back any collected information and clear the existing collection of data.
The malware will connect to the C2 every ten seconds for new tasks to execute.
Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer.
Developing a basic ransomware
One of the tasks that can be executed by the malware is to encrypt the computer with basic ransomware and decrypt files after a ransom is paid.
This feature is currently in development as its ransom note template contains filler as the developer works on this feature.
In-development ransomware component
With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.