Threat Research

RAT Malware Exploiting Discord Bot Functionality

Ahnlab

An open-source RAT malware is implemented via a Discord Bot, exemplified by PySilon, demonstrating how the malware operates, maintains persistence, and collects sensitive user information through Discord-based communication. The article also highlights how attackers can disguise malicious bots as legitimate tools and stresses caution when installing bots or programs from untrusted sources. #PySilon #DiscordBot #RAT #Fernet #PyInstaller

Keypoints

  • Discord is a platform for real-time communication and community building.
  • A Discord Bot automates tasks on servers, enhancing server management and user interaction.
  • The PySilon case exemplifies RAT malware implemented through a Discord Bot.
  • The malware builder allows customization of server ID and bot token for deployment.
  • Once executed, the malware creates a channel for the threat actor to control infected PCs.
  • It maintains persistence by self-replicating and modifying the system registry.

MITRE Techniques

  • [T1003] Credential Dumping – Collects user credentials including Discord tokens, emails, and passwords. “Collects user credentials including Discord tokens, emails, and passwords.”
  • [T1486] Data Encrypted for Impact – Encrypts files using the Fernet algorithm, storing the key in the user folder. “Encrypts files using the Fernet algorithm, storing the key in the user folder.”
  • [T1219] Remote Access Software – Utilizes Discord for remote access and control of infected systems. “Utilizes Discord for remote access and control of infected systems.”
  • [T1055] Process Injection – Executes commands and manipulates processes on the infected PC. “Executes commands and manipulates processes on the infected PC.”
  • [T1547] Persistence – Adds itself to the RUN key in the registry to maintain persistence. “Adds itself to the RUN key in the registry to maintain persistence.”
  • [T1071] Command and Control – Communicates with the threat actor via Discord channels for command execution. “Communicates with the threat actor via Discord channels for command execution.”

Indicators of Compromise

  • [Credential/Token] – Discord token, MFA – Discord token, MFA
  • [Credential/Email] – Email, password – email, password
  • [BrowserData] – Cookies, browsing history – cookie information, web page browsing history
  • [File] – Files with .pysilon extension and decryption key – .pysilon extension, key file stored in user folder

Read more: https://asec.ahnlab.com/en/84107/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint