This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen.
In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software are not malicious, Discord has been leveraged by threat actors to deliver malware and remote access trojans (RATs) as a command and control (C2) channel. This is the first instance X-Force has encountered a Discord C2 channel using the native Discord bot capabilities.
Initial Access
X-Force was first notified of the activity as part of an escalation of a network-based alert for gaming traffic detected on the POS network. X-Force performed an analysis of the POS system and discovered a JavaScript-based Discord bot designed to act as a command and control (C2) broker with capabilities to execute commands and collect and exfiltrate data from the system. Through X-Force’s investigation, it was discovered that initial access to the POS system was achieved through the introduction of a Raspberry PI Zero device running the P4wnP1 USB attack platform connected to the POS system via a USB port.
The Discord bot, written in JavaScript, leveraged a node.js module enabling the bot to communicate autonomously to the Discord API using an API key. Upon startup, the bot establishes a connection to the Discord API using the API key, ”guild id,” and “channel id” enabling the bot to mon ..
Support the originator by clicking the read the rest link below.
