Abusing Discord to deliver Agent Tesla malware

Sublime Threat Detection

July 2, 2024

Sublime Security Attack Spotlight: Attempts to deliver malware by sending a fake purchase order.

Take control of your email environment

Deploy Sublime for Free
Request Demo

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Malware/Ransomware

The Attack

Attempts to deliver malware by sending a fake purchase order message. Attack characteristics:

  • Embeds a fake PDF logo to bolster legitimacy
  • The fake logo and “Download PO.PDF” are hyperlinked to  cdn[.]discordapp[.]com
  • When the link is clicked, a VBE file is downloaded from Discord's CDN, which downloads and executes AgentTesla

Agent Tesla is a .Net-based Remote Access Trojan (RAT) and data stealer for gaining initial access that is often used for Malware-as-a-Service (MaaS). In this criminal business model, threat actors known as initial access brokers (IAB) outsource their specialized skills for exploiting corporate networks to affiliate criminal groups. As first-stage malware, Agent Tesla provides remote access to a compromised system that is then used to download more sophisticated second-stage tools, including ransomware.

Source

Detection signals

Sublime detected and prevented this attack using the following top signals:

FREE FILE HOSTING SERVICE

The malware is hosted on Discord’s file sharing server. By using high reputation infrastructure, the link is less likely to be deeply inspected.

LINK TO AUTO-DOWNLOAD OF A SUSPICIOUS FILE TYPE

The link auto-downloads a VBE file, which is often used to deliver malware.

MISMATCHED SENDER AND REPLY-TO

The message’s from address doesn’t match the reply-to. We typically observe this when the adversary has compromised an account to send the initial message, but may lose access, so they redirect replies to an account they own.

UNKNOWN SENDER

The sender has rarely, if ever, communicated with anyone at the targeted organization.

Sublime detects and prevents malware/ransomware delivery and other email based threats. Deploy a free instance today.

Back to Blog

Gain insight into the latest email security trends, the threat landscape, and detection strategies.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.