This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen.
In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software are not malicious, Discord has been leveraged by threat actors to deliver malware and remote access trojans (RATs) as a command and control (C2) channel. This is the first instance X-Force has encountered a Discord C2 channel using the native Discord bot capabilities.
Initial Access
X-Force was first notified of the activity as part of an escalation of a network-based alert for gaming traffic detected on the POS network. X-Force performed an analysis of the POS system and discovered a JavaScript-based Discord bot designed to act as a command and control (C2) broker with capabilities to execute commands and collect and exfiltrate data from the system. Through X-Force’s investigation, it was discovered that initial access to the POS system was achieved through the introduction of a Raspberry PI Zero device running the P4wnP1 USB attack platform connected to the POS system via a USB port.
The Discord bot, written in JavaScript, leveraged a node.js module enabling the bot to communicate autonomously to the Discord API using an API key. Upon startup, the bot establishes a connection to the Discord API using the API key, ”guild id,” and “channel id” enabling the bot to monitor the specified channel for new messages.
The Discord bot contains two main functions leveraged for command execution and data exfiltration.
As new messages are posted to the channel, the Discord bot collects and processes the messages. Each message is decrypted and passed off to the command function where the instructions contained in the message will be executed.
In parallel to monitoring the Discord channel for new messages, the bot checks a hardcoded temp folder on a loop for new files with a “.dat” extension. When a new “.dat” file is detected, the bot chunks the file into base64 encoded and encrypted segments. The chunked files are then sent to the Discord channel as individual messages.
Discord Bot Command Execution via Node.js:
Discord Bot Data Exfiltration Function:
Post-Exploitation
Once the attacker had established a C2 channel with the Discord bot on the POS system, the attacker leveraged the bot to download post-exploitation tools to facilitate credential harvesting and lateral movement activities.
X-Force uncovered evidence indicating the attacker uploaded two additional JavaScript files that downloaded the WinRAR and Curl utilities from a remote hosting service. The attacker then used Curl and WinRAR to download and extract RAR archives containing the post-exploitation toolset.
To maintain access to the POS network outside of the Discord bot, the attacker deployed additional backdoors leveraging Ngrok and OpenSSH. X-Force recovered script files from the POS system showing that the attacker installed an OpenSSH server to enable SSH access and set up a Ngrok connection to access the system via RDP.
Credential Harvesting and Lateral Movement
In Microsoft Windows, credentials are stored in the memory space of the LSASS process. Attackers target the LSASS process for “process dumping,” which enables the attacker to dump the contents of the LSASS process’ memory to a file that enables the attackers to access the credential data. During X-Force’s investigation, evidence was recovered indicating the attacker leveraged the Microsoft Sysinternals utility ProcDump to create a memory dump file of the Local Security Authority Subsystem Service process (LSASS).
Through accessing the LSASS data, the attacker was able to recover the password for the shared local administrator account for all the POS systems within the network. Following the collection of an administrator account, the attacker attempted to move laterally leveraging Sysinternals PsExec.
Actions on Objectives: Exfiltration and Crypto Mining
X-Force identified data staged for exfiltration through the Discord bot on the POS system that included copies of the POS software, POS software drivers, operating system drivers, administrative scripts, and system backups. X-Force did not uncover any evidence that the attacker was able to access any of the payment or customer data running on the POS software and instead was focused on collecting and exfiltrating the POS software itself.
Following a period of inactivity, the attacker introduced the XMRig crypto mining software, however X-Force was unable to identify any evidence the miner software was ever used by the attacker.
Detection Opportunities for Discord Bot
Network Telemetry: Leverage network telemetry to search for or alert on network communications to the Discord API by searching for connections to URLs containing “discord.com/api” on point-of-sale networks.
File Monitoring: Leverage file monitoring to search or alert on file write activities for server.js, discord.min.js, and discordapierror.js on point-of-sale systems.
Process Execution: Leverage process execution data to search for or alert on process execution events containing node.exe on point-of-sale systems.
Detection Opportunities for Post-Exploitation
Network Telemetry: Leverage network telemetry to search for or alert on network communications to NGrok and SSH to internet routable resources from point-of-sale networks.
File Monitoring: Leverage file monitoring to search or alert on file write activities for lsass.dmp, security.hve, and system.hve on point-of-sale systems.
Process Execution: Leverage process execution data to search for or alert on process execution events containing curl.exe, procdump.exe, tcpdump.exe, and ngrok.exe on point-of-sale systems.
Prevention
X-Force recommends that removable media and USB mounting be disabled on all point-of-sale systems. When administrative or maintenance is required, X-Force recommends organizations design a process to temporarily allow removable media access only for the time to complete the administrative work.
Hardware Additions Preparedness
Attackers with physical access to unsecured enterprise systems introduce a high level of risk to an organization because physical access enables the attacker to bypass many security controls that are normally designed to prevent a remote attack. X-Force recommends organizations implement a prevention, detection, and response strategy with regard to malicious hardware additions to achieve a holistic approach to risk management.
If you are interested in learning more about how to prevent, detect, and respond to hardware additions within your organization, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for the entire threat landscape.
If you have questions and want a deeper discussion about prevention, detection, and response techniques or want to learn how IBM X-Force can help you with incident response, threat intelligence, or offensive security services schedule a follow-up meeting here:
IBM X-Force Scheduler
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 or Global hotline (+001) 312-212-8034.
Head of Research, IBM Security X-Force