New Rust Malware “ChaosBot” Uses Discord for Command and Control

MITRE Techniques

• [T1078] Valid Accounts – Threat actors used compromised CiscoVPN credentials and an over-privileged Active Directory account named “serviceaccount” to gain and move within the environment. Quote: ‘leveraged compromised credentials that mapped to both CiscoVPN and an over-privileged Active Directory account named, “serviceaccount”.’
• [T1047] Windows Management Instrumentation – Actors leveraged WMI to execute remote commands across systems to deploy ChaosBot. Quote: ‘they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot.’
• [T1036.005] Masquerading: Match Legitimate Name or Location – ChaosBot payload (msedge_elf.dll) was side loaded via Microsoft Edge component identity_helper.exe from Public user profile. Quote: ‘The ChaosBot payload (msedge_elf.dll) was side loaded via the legitimate Microsoft Edge component identity_helper.exe from the Public user profile directory: C:UsersPublicLibraries.’
• [T1204.002] User Execution: Malicious File – Phishing using malicious Windows Shortcut files that run a PowerShell command to download/execute ChaosBot while opening an innocuous PDF lure. Quote: ‘The shortcut file runs a PowerShell command that downloads and executes ChaosBot while simultaneously downloading/opening an innocuous PDF to mislead the victim.’
• [T1573.001] Encrypted Channel: Symmetric Cryptography or Application Layer Protocol – ChaosBot used Discord API (bot token, guild/channel) for C2 communications, creating channels and sending/receiving messages and attachments. Quote: ‘includes a discord bot token, guild (server) ID, and a channel ID that the malware uses to send messages to the threat actor(s) Discord when it successfully infects a new device.’
• [T1059.001] Command and Scripting Interpreter: PowerShell – ChaosBot executes shell commands via a new PowerShell process prefixed to set UTF8 output encoding for command execution. Quote: ‘it executes them via a new PowerShell process with a consistent command line: each command is prefixed to set the output encoding to UTF8.’
• [T1041] Exfiltration Over C2 Channel – Results of executed commands, screenshots, and files are uploaded to Discord channels as file attachments (multipart/form-data). Quote: ‘after executing the command via PowerShell, the malware sends back results… as file attachments in multipart/form-data format via POST request to the Messages resource.’
• [T1098] Account Manipulation / T1136] Create Account Patterns (contextual) – ChaosBot creates new Discord channels named after victim hostnames to receive commands and report infections. Quote: ‘ChaosBot then creates a new channel named after the victim’s computer name.’
• [T1497.001] Virtualization/Sandbox Evasion: Time/Environment Checks – Malware checks MAC addresses against known VM MAC prefixes and exits if matched. Quote: ‘The second technique checks the Mac addresses of the system against known Virtual Machine MAC address prefixes for VMWare and VirtualBox.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – ChaosBot patches ntdll!EtwEventWrite (xor eax, eax -> ret) to prevent ETW consumers (EDR/AV/sandboxes) from seeing telemetry. Quote: ‘patching the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret)… prevents ETW consumers… from seeing telemetry.’
• [T1573.002] Application Layer Protocol: Web Protocols (HTTP/HTTPS) – Use of Discord REST API endpoints (GET/POST to discord.com/api/v10) for C2 traffic. Quote: ‘GET https://discord.com/api/v10/users/@me’ and ‘POST https://discord.com/api/v10/channels//messages’.
• [T1105] Ingress Tool Transfer – Threat actors downloaded FRP (node.exe/node.ini) and Visual Studio Code (code.exe) to victim systems using ChaosBot’s download command. Quote: ‘download hxxps://…/node.exe … c:userspublicmusicnode.exe’ and ‘download hxxps://…/code.exe c:userspublicmusiccode.exe’.