Collaboration Platforms Increasingly Abused by Threat Actors for Data Exfiltration and Malware Delivery

Teleworking has been growing in popularity over the past few years, but the national lockdowns imposed by governments to limit the spread of COVID-19 forced many businesses to allow their workforce to work remotely and telework has now become the norm.

Threat actors have adapted their tactics, techniques, and procedures to take advantage in this change in working practices and the collaboration platforms that are now relied upon by teleworkers for maintaining contact with their office and colleagues such as Discord and Slack are increasingly being abused by threat actors to stay under the radar and evade organizations’ security defenses.

Campaigns are now being conducted using these legitimate collaboration platforms to distribute malware such as RATs, information stealers, and ransomware, for component retrieval, data exfiltration, and command and control communications.

Misuse of communication and collaboration platforms for malicious purposes is nothing new of course; however, the extent to which these platforms are being abused is growing. A recent analysis of malicious use of these platforms has recently been published by researchers at Cisco Talos and reveals the tactics used and the extent to which these platforms are being abused.

Users of these collaboration solutions are used to opening hyperlinks and attachments, so threat actors can find it easy to get employees to take the required actions to download malware. Threat actors may also directly engage employees and communicate with them directly to get them to reveal sensitive information by impersonating trusted contacts.

Many of these collaboration platform support file attachments which make malware delivery straightforward. When malicious attachments are attached to emails, the messages must first pass-through security defenses such as secure email gateways, which often detect the attachments as malicious and block them. Similarly, when hyperlinks to malicious websites are delivered via email, security solutions are often in place that visit these links and identify malicious content. Collaboration platforms are allowed by many businesses and their use is often actively encouraged, yet the security controls in place are typically far less stringent that email, which makes it less likely that malicious content will be blocked.

The lack of security protections has made it easy for threat actors to distribute malware. Cisco Talos researchers note that Discord has been used in a campaign to deliver Thanatos ransomware, with others distributing the Phoenix keylogger and remote access Trojans such as Agent Tesla, Formbook, Remcos, AsyncRAT, JSProRAT, LimeRAT, Nanocore RAT, and WSHRAT.

Malware is often transmitted between users by attaching files to channels, which is possible on platforms such as Discord and Slack. Files are stored within the Content Delivery Network (CDN) which allows server members to access files as they were originally attached. However, these malicious files can be accessed via the URLs even if platforms such as Discord and Slack have not been installed.

This ability to host files is being exploited by threat actors to evade security solutions, with the links to the malicious content often sent via spam email. This method of delivery allows the content to be delivered over HTTPS, which means the communications between the endpoint accessing the content and the Discord CDN delivering it are encrypted. Further, the compression process obfuscates content of the compressed archive.

“As chat apps like Discord, Slack and many others rise in popularity, organizations need to assess how these applications can be abused by adversaries and how many of them should be allowed to operate inside your enterprise,” said Cisco Talos. “It’s likely the abuse of these chat apps will only increase in the near and long term. As more applications become available and some rise and fall in popularity, new avenues will continually be opened for adversaries.

Author: NetSec Editor