Explaining the Discord virus

Discord virus is only the name of a spamming campaign that takes place on this communication platform. The exact type of malware you can get through these tricks may vary in an extensive range. Nonetheless, the fraudsters’ method to fool you cannot be named original. There are two well-distinguishable ways – thick and gentle. A thick method is used in massive attacks. The possible victim receives a malicious link with a clickbait text from an unknown user. Because all such messages are suspicious, Discord additionally shows you the notification that it is dangerous to click the links and open the files received from unknown users. Nonetheless, the most careless people may be caught even in such an easy trap.

Gentle method requires a server, where the fraudster makes an image of a typical user interested in a theme of discussion. Then he sends the same message as in the thick method but adds something attractive for other participants. Such a distribution requires social engineering skills, time, and patience. But the trust level of users is much higher, and in the case of large (200+ active participants), server virus distributors may hit the jackpot.

Important details: how the trust is established

You will barely distinguish a malware distributor among other users when he tries to commit a malicious link stuffing. And it is hard even to predict such behavior because of the specific audience present in Discord. This platform is generally used by gamers, programmers, and similar categories of users. They often need to deal with self-made programs, dubious applications, or other stuff, which often causes a hysterical reaction to antivirus tools. Hence, the requirement to disable the anti-malware software at the moment of program start or adding this app to the white list does not look suspicious.

But there are several moments which are not obvious for a new or not experienced user but can easily be refuted by advanced ones. A lot of Discord virus cases were conducted with sending a “free patch for Discord which will enable Nitro features without purchasing”. People who know how the Discord subscription model works will surely figure out this fake. Data about the account’s privileges are kept on a server handled by the developers of this program. You have paid for Discord Nitro is approved by the corresponding incoming payment. And there is no way to change this data and enable the feature for your account by cracking the client version of the application.

N.B. There are also several other variants of malware distribution in Discord, you can read about them here.

How dangerous the Discord virus is?

Not as dangerous as, for example, ransomware. This way of malware distribution is not anonymous. It will be straightforward for cyber police to track a user who spreads some dangerous malware. However, it is still nothing pleasant in coin miner, spyware, adware¹ or any other malicious thing. Be very careful when making use of software that an unknown person recommends. The same instructions are for unnatural links, pretending to be downloading ones for some useful software.

The post What is Discord virus? Investigating a new online fraud appeared first on Gridinsoft Blog.

The idea is based on the use of RFC791 standard. Researchers remind that, for example, https://google.com is the same as https://216.58.199.78, it’s just the first option that is easier to remember.

“Technically, an IP address can be represented in several formats and therefore can be used in a URL in a variety of ways”, — explain Trustwave researchers.

For example, any IP address can be written in other formats, including:

• octal IP address: https://0330.0072.0307.0116;
• hexadecimal IP address: https://0xD83AC74E;
• integer or DWORD IP address: https://3627730766.

This feature uses spammer, who have been using hexadecimal IP addresses in their mailings since July this year. While browsers understand these formats and direct the user to google.com anyway, as in the example above, many spam filters stop “seeing” dangerous URLs because of this.

“Any threat actor equipped with this knowledge can craft an obscure-looking URL like the ones shown above and send it via email with a convincing message to deceive the email gateway and the victim and lure them to click and open a site controlled by the attacker”, — write Trustwave researchers.

Experts note that since the start of this trick, the activity of the enterprising spam group has markedly increased, as much more spam began to fall into user inboxes. At the peak of the campaign, scammers sent out about 25,000 letters. Spammers advertised various drugs to lower cholesterol, antifungal, anti-aging, anti-inflammatory drugs, medical masks, UV lamps, as well as all kinds of dietary supplements.

Interestingly, this is not the first such case discovered by information security specialists.

For example, last summer, Proofpoint experts talked about the PsiXBot Trojan, whose operators also used hexadecimal IP addresses to hide the location of their control servers.

Find out better how spam works in our blog post: Spam Email. What Do Spammers Hope For?

The post Spammers hide behind hexadecimal IP addresses appeared first on Gridinsoft Blog.