The new "Abaddon" remote access trojan may be the first to use Discord as a complete command and control server that instructs malware on what to do on an infected computer. Worse, an ransomware feature is being developed for the malware.
This is not the first time that some attackers have used Discord for malicious activity.
RAT uses Discord as a complete C2 server
A new "Abaddon" remote access trojan (RAT) discovered by MalwareHunterTeam could be the first malware to use Discord as a complete command and control server.
When it launches, Abaddon will automatically steal the following data from an infected computer:
- Chrome cookies, saved credit cards and credentials.
- Discord tokens and MFA information.
- File lists
- System information, such as country, IP address and information hardware.
Abaddon will then connect to Discord's command and control server to see if new ones are running. commands, as shown in the figure below.
These commands will tell the malware to perform one of the following tasks:
- Steal a file or the whole directories From the computer
- Get a list of drives
- Open a reverse shell - which will allow the attacker to execute commands on the infected computer.
- Start ransomware in development.
- Send back any information collected and delete the existing data collection.
Malware will connect to C2 every ten seconds to run new work.
Using a "Discord C2 server", the threatening agent can constantly monitor the collection of infected computers for new data and execute further commands or malicious programs on the computer.
Development of a basic ransomware
This feature is in progress as the ransom note template contains filler as the developer is working on this feature.
With ransomware being extremely lucrative, it would not be a surprise to see this feature completed in the future.