Epsilon ransomware takes down Discord; gamers at stake!

Epsilon ransomware

Researchers from Zscaler ThreatLabz confirms the attack of Epsilon ransom ware, XMRig cryptominer and various data & token stealers against the popular gaming platform Discord using spam emails and legitimate looking links to gaming softwares.

The rise in pandemic lead to isolation of individuals and increased social distancing. This caused hype in the gaming industry which significantly led to the spike in criminals targeting the demographic.

Attackers have placed malicious files inside the Discord platform that trick the users to download infected files.

As per the researchers the hackers were successful in serving up epsilon ransomware, data stealing Trojans and XMRig cryptominer. They are also utilising this for command-and-control communication.

Discord is a gaming platform with millions of users has evolved dramatically to be a virtual watering hole for socializing. This app is also used for creating communities on web, called “servers”. The application also supports features like text, voice and video which help in communication with these communities.

Like many other app, discord has found an up stick in use. This is the main reason why the hackers saw them as a ripe target to abuse.

Attackers always targeted the game users by sending those links and attachments which led to the downloading of fake versions of games that served malware.

While the hackers found it easy to plant a malware in discord, researchers has found a number of other novel campaigns which used known malware to loot the gamers within the platform.

As per the security researchers it was not just the epsilon ransomware that affected discord. It was also contaminated by XMRig miner and three other types of stealer, TroubleGrabber and several other unidentified grabbers.

The attacking strategy was using spam emails, where the users were tricked to download legitimate looking templates into downloading next stage payloads.

To host the malicious payloads, the attacker used the discord services to form a URL like https://cdn[.]discordapp[.]com/attachments/ChannelID/AttachmentID/filename[.]exe

Major discoveries

  • The hacker launched multiple campaigns based on cdn[.]discordapp[.]Com service for the infectious link.
  • Cyber criminals utilize discord CDN for both command-and-controls as well as to host malicious files.
  • Infected files are presented to the gamers in the name of pirated software or gaming software.
  • The icons utilized by the gamers were also relatable.
  • Different types of malware affected the discord’s CDN – ransomwares, stealers and cryptominers.

Analysis

Epsilon ransomware was first discovered by a virus analyst Amigo-A. He concluded that they fall under the category of HiddenTear ransomware family. This ransomware is capable of encrypting all the data in the PC and adds its extension to all the files. After which they create the READ_ME.hta files in every folder that contains encrypted files.

The epsilon ransomware starts its execution by planting an .inf file and .exe file in the windows or any temporary folder of the user’s device. The malware then creates an encryption key and spreads through the system drives and encrypt files using double encryption technique. They randomly generate a 32-bit key and custom RC4 encryption which has a key of length 2048-bit.

Once the encryption process is done, it downloads the ransom note image on the victim’s machine.

Apart from other malwares, this ransomware does not use discord for C2 communication.

How to safeguard from epsilon?

  • Use verified and official download sources.
  • Update and activate all programs using the tool provided by the developers as third party updates may include malwares.
  • Enable user privacy, it is important to install an anti-virus and stay updated. Use secure anti-virus software’s like:

Norton – https://buy-static.norton.com

Kaspersky – https://www.kaspersky.co.in

Redline stealer is a Russian malware that initiates its attack by introducing a copy of itself into the app data or roaming folders in the user’s system. It then collects login credentials & passwords, cookies, credit card details and steals data from IM & FTP clients.

Whereas, the XMRig drops a copy of itself at %ProgramData%\RealtekHDUpdater\realtekdrv[.]exe and alters the system’s file without the consent of the user and also connects to the C2 server.

13 comments

  1. At the beginning, I was still puzzled. Since I read your article, I have been very impressed. It has provided a lot of innovative ideas for my thesis related to gate.io. Thank u. But I still have some doubts, can you help me? Thanks.

  2. Pingback: nagaqq
  3. Pingback: aksara178
  4. Pingback: bonanza178
  5. Pingback: 뉴토끼
  6. Pingback: qiuqiu99 link
  7. Pingback: 뉴토끼
  8. Pingback: fryds
  9. Pingback: buy dmt carts

Leave a comment

Your email address will not be published. Required fields are marked *