Abaddon using Discord as a C2

Overview

At time of writing, Abaddon might be the first RAT using Discord as a C2 to carry out attacks and execute commands on infected machines.

While this might not be a big threat to companies (assuming that you already blacklisted any discord domains since it doesn’t make any sense to be allowed on a corporate network), it does expose regular discord users to data theft and possibly victims of a ransomware attack.

Fortunately, the sample got caught by threat intelligence analysts while still being under development and, as far as we can say, this exact non functional sample doesn’t pose any threats, yet.

We believe that similar attacks might be something to be taken seriously since all communications are done through discord servers, making it really difficult, or nearly impossible, to filter malicious traffic.

Functionalities

  • Stealing cookies and cached credentials or credit cards;
  • RAT capabilities through Discord;
  • Encrypt / decrypt files asking for a ransom;
  • Establishing remote code executing.

Disclaimer

This report has been made in collaboration with all the members from MalPhobic, a group of hobbyists security passionates students and professionals.

You can find us on Twitter or following our GitHub repository.

Our recommendation

Knowing your environment is important before blocking known-good domains. However, if you know that you have no use for discord in your environment, we recommend blocking these domains as a preventative measure against potential future threats also using discord as a C2:

discord.comdiscord.ggdiscord.media
discordapp.comdiscordapp.netwatchanimeattheoffice.com
discord.codis.gdbigbeans.solutions
anonfiles.com

General file information

MD5: f45a0a9d9d63fc71c5189e3ae282c7f7

SHA1: 2bfc56dfeebbe6a7cc0dacb35fabfa3ea842f100

SHA256: 74f58ab637713ca0463c3842cd71176a887b132d13d32f9841c03f59c359c6d7

IMPHASH: F34D5F2D4577ED6D9CEEC516C1F5A744

The sample has been downloaded from here

Technical Analysis

Before diving into the code, we wanted to better understand the sample’s behaviour and network activity, so we used Any Run, Cape, Hybrid Analysis and Intezer Analyze to gather additional details.

The sample had always failed to execute on any protected environment, leading us to think that there are some anti-debug and anti-sandbox techniques being used.

Only later we discovered that 2 libraries were missing from the sample and some methods were incomplete, causing the immediate crash of the sample.

The only interesting thing we manage to find was thanks to Intezer:

Sample’s strings including interesting network artifacts
Sample’s strings including method names

Static Analysis

Discord as a C2

The technique of using Discord as C2 is still emerging, but as more malware authors pick up on the perks of using Discord as a C2, it is sure to become more widespread.

All communications are TLS encrypted, and can’t be distinguished from normal Discord traffic.

Besides all the traffic being encrypted, using Discord as a C2 also enables quick setup of new / free infrastructure, i.e the threat actor can create a new server per campaign, and host any files needed for the malware using Discords CDN (Content Delivery Network), all without spending any money.

One downside to using Discord as C2 is the need to use a token, which, if extracted from the malware, can be used to take over any server where the Discord bot resides.

This can be somewhat mitigated by encrypting the token, and only decrypting it with a key that is obtained during runtime.

We believe that HERA (one of the missing libraries), was used to operate on encrypted data without the necessity of decrypting it, avoiding to leak the server’s token to any analysts who are analysing the sample.

Replicating the C2 server

A member of our group managed to replicate some similarities of this sample and here’s what the attacker might see on his end:

An example of a communication between the attacker and the C2

And here’s an example on what the traffic might look when executing those commands and, as you can see, it’s standard Discord TLS encrypted traffic:

Network activity between C2 and the victim

Available commands

In order to execute a command on a given machine, the attacker needs to know its hardware ID (GUID).

Here’s a list of all the available commands:

GetFileGetDirectoryGetDirectoryRecursiveGetDeviceTree
ShellReportBackRansomRansomDecrypt

Stolen information

Upon execution, the sample tries to extract information from the following applications:

  • Steam
  • Chromium (multiple variants)
  • Discord
Discord

The sample will try to find the token in Discord’s log files and tries to validate it through Discord’s API (https[:]//discord.com/api/v8/users/@me).

Enumerating .log and .ldb files

And extract any useful information it has, including the victim’s MFA code.

Log parsing method

Finally, before sending the token back to the C2, it will try to validate it through Discord’s API.

Validating the token

Steam

The following function will read any session Steam files to obtain the username, installed apps, cookies and password if it has been saved.

Retrieving Steam session files

The sample will also try to use any Steam related cookies it might have obtained, to send a GET request to Steam, in an attempt to validate the cookies it has gotten.

If successful, it will send back the cookie, email associated with that account, username, and balance in Steam wallet.

Verifying and sending back the verified credentials
Chromium

Like a lot of other “stealers”, this malware will try to extract the following data from Chromium DB:

  • Cookies
  • Credit cards
  • Logins

The way it does this, is simply by running SQL queries on the Chromium DB.

SQL queries to retrieve cookies
SQL query to retrieve saved credit cards

Affected Chromium variants:

Google ChromeMicrosoft Edge Beta
Google Chrome x86Chromium
Opera

Keywords searched:

AmazonBlizzardComixologyCrunchyroll
DiscordGoogleHBOHulu
MailMegaMicrosoftNetflix
OriginPatreonPaypalReddit
SonySteamTwitterBitcoin
BTCBankMonerXMR
UplayCoinXchange

Exfiltration method

The main way of exfiltration for the malware is through Discord, here it will send the result of all commands.

This exfiltration method is actually quite convenient, and what might attract more malware authors to use Discord as a C2 in the future.

All connections are TLS encrypted, and they blend in with all the other traffic, nothing in the traffic indicates it is a bot communicating with Discord.

However, when exfiltrating files, the malware opts to use AnonFile (an anonymous file hosting service), where it will upload the files, and send the URL back to the Discord C2.

Missing libraries

The malware seems to have been compiled without the correct libraries, specifically it seems to be missing the Discord.NET and HERA library.

This results in the malware not being able to execute properly.

While we tried different available Discord.NET available projects on GitHub, none of them seemed to be working and match the methods used by the sample, letting us believe that the author might have added custom code.

HERA

Homomorphic encryption refers to encryption schemes that allow the cloud to compute directly on the encrypted data, without requiring the data to be decrypted first. The results of such encrypted computations remain encrypted, and can be only decrypted with the secret key (by the data owner). Multiple homomorphic encryption schemes with different capabilities and trade-offs have been invented over the past decade; most of these are public-key encryption schemes, although the public-key functionality may not always be needed […]

For more information, read this academic paper and Microsoft’s github project.

Ransomware capabilities

The malware uses standard 128 AES to encrypt files, with a random IV, which the malware appends to the start of the file.

If no masterkey is supplied, it will choose a random 16 byte key, and proceed with encryption.

For the decryption part, it will replace the extension it appends when encrypting (“.abenc”).

After that, it will read the first 16 bytes of the file (the IV needed), then decrypt the file using the 

masterkey supplied as an argument.

Calling methods from the C2

Encryption mechanism
Decryption mechanism

IOCs

Extension “.abenc”indsv.pdb
https[:]//api.anonfiles.com/upload

YARA rules

/*
   YARA Rule Set
   Author: yarGen Rule Generator
   Date: 2020-10-27
   Identifier: malware
   Reference: https://github.com/Neo23x0/yarGen
*/

/* Rule Set ----------------------------------------------------------------- */

rule abaddon_rat {
   meta:
      description = "Abaddon Discord RAT"
      author = "MalPhobic Group"
      date = "2020-10-27"
      hash1 = "74f58ab637713ca0463c3842cd71176a887b132d13d32f9841c03f59c359c6d7"
   strings:
      $x1 = "C:\\Users\\krauz\\source\\repos\\Abaddon\\obj\\Release\\netcoreapp3.1\\indsv.pdb" fullword ascii
      $y1 = "https://discord.com/api/v8/users/@me" fullword wide
      $y2 = "indsv.dll" fullword wide
      $y3 = "store.steampowered.com" fullword wide
      $y4 = "<GetLoginFromCookies>b__1_0" fullword ascii
      $y5 = "<GetLoginFromCookies>b__1_3" fullword ascii
      $y6 = "<GetLoginFromCookies>b__1_1" fullword ascii
      $y7 = "GetLogins" fullword ascii
      $y8 = "<GetLoginFromCookies>b__1_2" fullword ascii
      $y9 = "GetLoginFromCookies" fullword ascii
      $z1 = "SELECT host_key, name, path, expires_utc, is_secure, encrypted_value FROM cookies" fullword wide
      $z2 = "https://store.steampowered.com/account/" fullword wide
      $z3 = "href=\"https://store.steampowered.com/account/history/\"" fullword wide
      $z4 = "get_EncryptedDump" fullword ascii
      $z5 = "https://api.anonfiles.com/upload" fullword wide
      $z6 = "System.Diagnostics.Process" fullword ascii
      $z7 = "Abaddon.Targets" fullword ascii
   condition:
      uint16(0) == 0x5A4D and
      ( 1 of ($x*) and 4 of ($y*) and 3 of ($z*)) and
      filesize < 200KB
}

One Reply to “Abaddon using Discord as a C2”

Leave a Reply

Your email address will not be published. Required fields are marked *