ASEC reported that the UNC5174 threat group deployed a Discord-based backdoor built with the open-source Discordgo library, using Discord API message events as a covert C2 channel to execute commands, transfer files, and exfiltrate data. The malware stores encrypted bot tokens and server IDs (Base64 + AES), executes commands via bash -c, collects system information, deletes temporary result files, and remains largely undetected (VirusTotal 1/64) #UNC5174 #Discordgo
Keypoints
- ASEC identified a backdoor that uses the Discord API as a command-and-control channel, allowing operators to send commands through Discord message events.
- The backdoor was developed using the open-source Discordgo Golang library, enabling easy session creation and event handling via AddHandler()/MessageCreate.
- Operators embed encrypted bot tokens and server IDs (Base64 + AES) inside the binary and decrypt them at runtime to connect to the attacker-controlled Discord server.
- Malware capabilities include remote command execution (via bash -c), file upload/download, system information collection, and exfiltration of command output via Discord.
- The sample saves command results to temporary files such as /tmp/message.txt and deletes them after sending to minimize forensic traces.
- The sample had a VirusTotal detection of 1/64 (detected only by AhnLab as of the report), illustrating low detection across many security products.
MITRE Techniques
- [T1071 ] Application Layer Protocol – The adversary used the Discord API (REST + Gateway) as the C2 channel to blend with legitimate traffic and avoid dedicated C2 infrastructure. [‘leveraged the Discord API as their C2 channel instead of building a dedicated C2 infrastructure’]
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Commands received via Discord are executed by appending the payload to bash -c to run on the host. [‘appended to bash -c to complete the execution string and perform the system command’]
- [T1041 ] Exfiltration Over Command and Control Channel – Command outputs and collected data are sent back to the attacker over the Discord channel used for C2. [‘the content is then sent back to Discord’]
- [T1082 ] System Information Discovery – The malware gathers system information from victims using Golang libraries to enumerate host details. [‘The following system information can be collected from the victim’]
- [T1070.004 ] Indicator Removal on Host: File Deletion – Temporary files containing command results are deleted after transmission to reduce traces. [‘After sending the execution result to the threat actor, the file is deleted to minimize traces.’]
- [T1552.001 ] Credentials in Files – Bot token and server ID values are stored encrypted within the binary and decrypted at runtime (Base64 + AES) for authentication. [‘These token and server ID values are encrypted within the file and are decrypted at runtime using Base64 and AES decryption.’]
- [T1105 ] Ingress Tool Transfer – The backdoor supports file download and upload features controlled through Discord messages, enabling transfer of files to/from the host. [‘Upload file’, ‘Download file’]
Indicators of Compromise
- [Bot token ] Discord bot authentication tokens embedded in malware – MTM5MzE4Mzg4NjYwMjkzMjI2NA.G6ooB1.zBdzA0XNv0k219EbJsXgxuR7N_X_H3beHgz_iM, MTQxMzQyNzA1Nzc2MDY2NTcyMQ.Golp3b.yc5Z1_qjtKJxwsznCRc5k2KCB2_BARLMUGqqNs
- [Server ID ] Discord server (guild) IDs used for C2 – 1393184594974474344, 1413435292970647596
- [File hash (MD5) ] Sample binary hash referenced in analysis – c193742412e98f1d46953f1ee73841b9
- [Filename ] Temporary execution/result file used by malware – /tmp/message.txt
- [URL/Repository ] Open-source library used to build the backdoor – https://github.com/bwmarrin/discordgo
Read more: https://asec.ahnlab.com/en/91419/