Attackers use Discord VoIP chat servers to host NanoCore, njRAT, SpyRAT

Share this…

Malicious actors are abusing a free VoIP service for gamers to distribute remote access Trojans, as well as infostealers and downloaders.

Discord, a free VoIP service designed for gaming communities, has had its chat servers abused to host malware. Most of the malicious samples found distributed on the app were remote access Trojans (RATs), such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat), among others.

Attackers abuse Discord chat servers to deliver remote access TrojansCLICK TO TWEET

How is Discord used?

Since it was released in March 2015, Discord’s popularity has increased especially among gamers, given that it is free, simple, multiplatform, and innovative. As of July 2016, more than 11 million people have used it.

Any Discord user can create a server, or group, in less than 10 seconds. Most of the groups on Discord are gamer gatherings (teams, guilds, clans) that use the VoIP service to communicate (via chat or voice) whether gaming or not.

Other groups focusing on a broader audience have also surfaced on Discord. For example, IT security researchers have created servers on Discord. In some cases, users have set a never expire invite link to their groups and advertised it on third-parties websites. These are usually marketed as places where knowledge is being shared and exchanged on particular topics. Some of these groups have thousands of members—most are gaming-related, while others are tech- and anime-related.

However, hacking groups have also set up Discord servers and are actively inviting people to join. Even shadier groups have created Discord servers that serve as a black market for the sale of malware or stolen data.

How do attackers distribute malware on Discord?

Using its chat feature, Discord’s users can post messages and links, embed pictures and videos, and upload attachments. Most gamers’ teams and guilds also use some chat channels as documentation boards.

Since the chat app allows members to upload most types of files, attackers can create a server and post or upload malicious attachments to the chat, then use it in a second-stage attack as a download site. Other attackers don’t have to create a server of their own—they could simply manually post malware to a server they had been invited to, so they could bait other unwitting users into opening the threat.

Besides the infamous and accessible RATs, such as NanoCore, njRAT, and SpyRAT, we also found various infostealers, Trojan Horsemalware samples, and downloaders among the files we’ve seen hosted on Discord. These may have been part of a drive-by download strategy or social-engineering campaign.

Figure. A NanoCore sample observed on a Discord chat channel server.

In our observation, NanoCore was the most prevalent among the malware hosted on Discord’s chat servers. This RAT has been around since at least 2013, with a few versions leaked early last year, and NanoCore RAT activity has not ceased since then. The RAT mainly affects computers in the US, followed by Japan and Germany.

Who are the targets?

Since the service was designed specifically for gamers, the majority of targets are from the gaming community. The app does attract a large number of video-streamers as its technology allows for synergy, a mode that lets users hide sensitive information while streaming content such as gaming sessions.

The attackers behind the RATs and other malware may have distributed their threats on the service to steal sensitive information related to online gaming (credentials, items, in-game currency, and contacts) directly from the victim’s computer. This data can be valuable to attackers just as much as other personally identifiable information (PII), such as users’ bank account details, web service credentials, contact numbers, IP addresses, and biometric information. These could all be harvested by data thieves in the process.

Symantec Security Response has contacted Discord’s security team, who swiftly removed the malicious files from the servers’ chat channels. Discord also added a new virus scan feature, which runs on its backend servers whenever a user uploads an executable or archive file. Discord does not support or endorse third-party websites that host a list of open invite Discord servers.


Symantec recommends users adhere to the following best practices when using Discord:

  • Do not download or run programs from people you do not know
  • Use the service’s permission control features which allow users to regulate the server’s users.
  • Restrict users’ permissions to curb abuse on the service, or grant individual permissions for better control.
  • When joining a Discord server, be careful of the content being posted on the chat channels.
  • Do not give out personal information to strangers when using the voice channel.