Hackers Exploit Discord CDN Links to Distribute RAT Disguised as OneDrive File

A recent phishing campaign discovered by Sublime Security involves hackers using Discord CDN links to distribute a Remote Access Trojan (RAT) disguised as a OneDrive file. This campaign exploits user trust in Microsoft 365 services to trick victims into downloading the malicious file. The attackers also install legitimate Remote Monitoring and Management (RMM) tools like Atera and Splashtop, which are then used for malicious remote access.

The use of Discord CDN links for malware distribution is significant because it leverages a trusted platform's infrastructure to bypass traditional security measures. This method can evade detection by email filters and other security mechanisms that might not scrutinize CDN links as thoroughly as other sources. The installation of legitimate RMM tools is particularly insidious because these tools are designed to provide remote access and control, which is exactly what attackers want. By using legitimate software, attackers can avoid detection by antivirus and other security tools that might not flag these applications as malicious.

This attack method highlights the evolving tactics of cybercriminals who are increasingly leveraging legitimate platforms and tools to carry out their attacks. The exploitation of user trust in Microsoft 365 services underscores the importance of user education and awareness in cybersecurity. Organizations should implement robust email filtering and endpoint protection solutions that can detect and block malicious payloads, even when they are delivered through trusted platforms like Discord.

From a cybersecurity professional's perspective, this attack method underscores the importance of a multi-layered defense strategy. User education is crucial, and employees should be trained to recognize phishing attempts and to verify the legitimacy of files before downloading them. Additionally, organizations should monitor the installation and use of RMM tools to ensure they are only used for legitimate purposes.

To mitigate such attacks, organizations should monitor and scrutinize traffic from CDN links, implement advanced endpoint protection solutions, conduct regular training sessions to educate users about phishing tactics, monitor the installation and use of RMM tools, and enhance email filtering mechanisms to detect and block phishing emails.